Failed authorization procedure. Error getting validation data


#1

Hi, trying to setup certbot using apache2 with debian 8. Having some troubles passing the webroot challenge.

OS: Debian 8.11(Jessie)
Cerbot version: 0.10.2
Apache config: https://pastebin.com/nh4t9gmR
Domain: http://www.fxleblanc.ca
Command: sudo certbot certonly -a webroot -w /var/www/html/ -i apache --staging
Error log: https://pastebin.com/5N0ZzRiy

At first, I thought it was having trouble accessing the acme-challenge directory, so I tried adding a test.html file:

http://168.235.108.155/.well-known/acme-challenge/test.html

I can access it so I don’t think that’s the problem.

Any help is appreciated.

Regards,

FĂ©lix


#2

Let’s Encrypt won’t access an IP address URL. :anguished:

http://168.235.108.155/.well-known/acme-challenge/test.html won’t work.

http://example.net/.well-known/acme-challenge/test.html will.

Can you change it to redirect to a hostname, or not redirect at all?


#3

Right. Should I change that at the DNS level(I use Gandi.net) or in my apache configuration?


#4

It looks like it’s using Gandi’s web forwarding service, so you’d have to change it in Gandi’s control panel somewhere.

Can you turn off the forwarding service and change it to a regular A record?


#5

Yes. I just entered the following A record:

*.fxleblanc.ca 1800 IN A 168.235.108.155

It seems it still changes the hostname to the ip


#6

Hi,

Now your domain is not resolved correctly. (No IP is found)
Could you please try to stop the web-forwarding service (if you haven’t) and add the following records to Gandi’s Control Panel?

www.fxleblanc.ca 1800 IN A 168.235.108.155
fxleblanc.ca 1800 IN A 168.235.108.155

(Gandi might pre-populated the domain for you, you might need to use

www 1800 IN A 168.235.108.155
@ 1800 IN A 168.235.108.155 

if things do not work out)

After you added those DNS records, please wait a few minutes and try to visit the following links to check if the changes are in effect.
https://www.whatsmydns.net/#A/fxleblanc.ca
https://www.whatsmydns.net/#A/www.fxleblanc.ca

Thank you


#7

Hi, it worked :). Thanks for your help. It worked with these lines:

www 1800 IN A 168.235.108.155
@ 1800 IN A 168.235.108.155

I assume that www refers to www.fxleblanc.ca and @ to *.fxleblanc.ca. How do you know if your DNS provider is using one syntax or the other?


#8

Normally it would be using the @ and www…
(I actually have no idea how those providers choose in between… But I believe that’s the only two wide spread syntax for DNS Management(in a user friendly interface)

Glad it works!

Thank you


#9

It works in staging but for some reason, when I remove the --staging flag, it doesn’t work. It gives me the following error:

https://pastebin.com/TdZnRY59

Apache config:
https://pastebin.com/dg1TMz34

Command:
sudo certbot certonly -a webroot -w /var/www/html/ -d www.fxleblanc.ca --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2”


#10

Hi @fxleblanc

your command

is “special”: If you use the webroot as authenticator, you need a running webserver. So your pre-hook and your post-hook is wrong.

Remove both.

“Connection refused” - you have stopped your webserver.


#11

Good to know. Thanks. I remove the hooks:

sudo certbot certonly -a webroot -w /var/www/html/ -d www.fxleblanc.ca

and it regenerates the certificates and chain but when I go to the https url(https://www.fxleblanc.ca), it says it’s an insecure connection. I’m guessing it has to do with my apache config:

https://pastebin.com/dg1TMz34


#12

If you use the

option, you have to install the certificate manual. There is the Fake LE - Certificate installed (from the test system).


#13

Where’s the Fake LE certificate? I currently use the generated full chain and private key in my config:

SSLCertificateFile /etc/letsencrypt/live/www.fxleblanc.ca/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.fxleblanc.ca/privkey.pem

Maybe it has something to do with the fact that I reference only the full chain and privkey. There’s 4 files in the /etc/letsencrypt/live/www.fxleblanc.ca/ directory. Which one(s) should I reference in my apache config?


#14

I see the Fake LE:

ca

These are symlinks. Perhaps they point to the wrong certificate. Check your certificates with

certbot certificates

perhaps delete three (certbot delete ...) - but first make a backup of the folder.

PS: Now I see the new productive certificate:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.fxleblanc.ca&lu=cert_search


#15

Great. The site works now. Turns out, I just needed to restart apache2 after deleting all the certs and getting a new one.

Thanks


#16

Yep, now I see the correct certificate.

correct

:wink:


#17

Quick question. Do you use a special plugin in firefox to get the certificate hierarchy in your screenshots or is it something different?


#18

This is the normal Windows-Firefox.

Click the certificate

step-1

Then use >.

step-2

There the link at the end.

step-3

There you see the FireFox page informations, there you can see the certificate.

step-4

There select “Details”.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.