Hi, trying to setup certbot using apache2 with debian 8. Having some troubles passing the webroot challenge.
OS: Debian 8.11(Jessie)
Cerbot version: 0.10.2
Apache config: https://pastebin.com/nh4t9gmR
Domain: http://www.fxleblanc.ca
Command: sudo certbot certonly -a webroot -w /var/www/html/ -i apache --staging
Error log: https://pastebin.com/5N0ZzRiy
At first, I thought it was having trouble accessing the acme-challenge directory, so I tried adding a test.html file:
http://168.235.108.155/.well-known/acme-challenge/test.html
I can access it so I don’t think that’s the problem.
Any help is appreciated.
Regards,
FĂ©lix
Let’s Encrypt won’t access an IP address URL.
http://168.235.108.155/.well-known/acme-challenge/test.html
won’t work.
http://example.net/.well-known/acme-challenge/test.html
will.
Can you change it to redirect to a hostname, or not redirect at all?
Right. Should I change that at the DNS level(I use Gandi.net ) or in my apache configuration?
It looks like it’s using Gandi’s web forwarding service, so you’d have to change it in Gandi’s control panel somewhere.
Can you turn off the forwarding service and change it to a regular A
record?
Yes. I just entered the following A record:
*.fxleblanc.ca 1800 IN A 168.235.108.155
It seems it still changes the hostname to the ip
Hi,
Now your domain is not resolved correctly. (No IP is found)
Could you please try to stop the web-forwarding service (if you haven’t) and add the following records to Gandi’s Control Panel?
www.fxleblanc.ca 1800 IN A 168.235.108.155
fxleblanc.ca 1800 IN A 168.235.108.155
(Gandi might pre-populated the domain for you, you might need to use
www 1800 IN A 168.235.108.155
@ 1800 IN A 168.235.108.155
if things do not work out)
After you added those DNS records, please wait a few minutes and try to visit the following links to check if the changes are in effect.
https://www.whatsmydns.net/#A/fxleblanc.ca
https://www.whatsmydns.net/#A/www.fxleblanc.ca
Thank you
Hi, it worked :). Thanks for your help. It worked with these lines:
www 1800 IN A 168.235.108.155
@ 1800 IN A 168.235.108.155
I assume that www refers to www.fxleblanc.ca and @ to *.fxleblanc.ca. How do you know if your DNS provider is using one syntax or the other?
Normally it would be using the @ and www....
(I actually have no idea how those providers choose in between... But I believe that's the only two wide spread syntax for DNS Management(in a user friendly interface)
Glad it works!
Thank you
It works in staging but for some reason, when I remove the --staging flag, it doesn’t work. It gives me the following error:
https://pastebin.com/TdZnRY59
Apache config:
https://pastebin.com/dg1TMz34
Command:
sudo certbot certonly -a webroot -w /var/www/html/ -d www.fxleblanc.ca --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2”
Hi @fxleblanc
your command
is "special": If you use the webroot as authenticator, you need a running webserver. So your pre-hook and your post-hook is wrong.
Remove both.
"Connection refused" - you have stopped your webserver.
Good to know. Thanks. I remove the hooks:
sudo certbot certonly -a webroot -w /var/www/html/ -d www.fxleblanc.ca
and it regenerates the certificates and chain but when I go to the https url(https://www.fxleblanc.ca ), it says it’s an insecure connection. I’m guessing it has to do with my apache config:
https://pastebin.com/dg1TMz34
If you use the
fxleblanc:
certonly
option, you have to install the certificate manual. There is the Fake LE - Certificate installed (from the test system).
Where’s the Fake LE certificate? I currently use the generated full chain and private key in my config:
SSLCertificateFile /etc/letsencrypt/live/www.fxleblanc.ca/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.fxleblanc.ca/privkey.pem
Maybe it has something to do with the fact that I reference only the full chain and privkey. There’s 4 files in the /etc/letsencrypt/live/www.fxleblanc.ca/ directory. Which one(s) should I reference in my apache config?
I see the Fake LE:
These are symlinks. Perhaps they point to the wrong certificate. Check your certificates with
certbot certificates
perhaps delete three (certbot delete ...
) - but first make a backup of the folder.
PS: Now I see the new productive certificate:
https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.fxleblanc.ca&lu=cert_search
Great. The site works now. Turns out, I just needed to restart apache2 after deleting all the certs and getting a new one.
Thanks
1 Like
Yep, now I see the correct certificate.
Quick question. Do you use a special plugin in firefox to get the certificate hierarchy in your screenshots or is it something different?
This is the normal Windows-Firefox.
Click the certificate
Then use >.
There the link at the end.
There you see the FireFox page informations, there you can see the certificate.
There select "Details".
1 Like
system
Closed
November 4, 2018, 8:54pm
19
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.