Failed authorization procedure. www.kiryat8.com


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kiryat8.com www.kiryat8.com

I ran this command:sudo certbot --nginx

It produced this output:

david@web:~$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): davidkiryat8@gmail.com


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory


(A)gree/©ancel: A


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?


1: kiryat8.com
2: www.kiryat8.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1,2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for kiryat8.com
http-01 challenge for www.kiryat8.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.kiryat8.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://192.117.103.217/.well-known/acme-challenge/JsjlTYaU_K8cMs8yMuAulqLRFvMCsV6Iwea4NfK3_KU: Error getting validation data, kiryat8.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://192.117.103.217/.well-known/acme-challenge/-q30J6YJHY7wFL_5NTk7s5bP7cM2kw6VIF9tmdwLjmo: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.kiryat8.com
    Type: connection
    Detail: Fetching
    http://192.117.103.217/.well-known/acme-challenge/JsjlTYaU_K8cMs8yMuAulqLRFvMCsV6Iwea4NfK3_KU:
    Error getting validation data

    Domain: kiryat8.com
    Type: connection
    Detail: Fetching
    http://192.117.103.217/.well-known/acme-challenge/-q30J6YJHY7wFL_5NTk7s5bP7cM2kw6VIF9tmdwLjmo:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version):

nginx -v
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Release 18.04.1 LTS (Bionic Beaver) 64-bit
Kernel Linux 4.15.0-38-generic x86_64
MATE 1.20.1

My hosting provider, if applicable, is:
DNS - GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


#2

It looks like that domains is using GoDaddy’s URL redirect service. It’s not compatible with Let’s Encrypt HTTP validation.

In GoDaddy’s DNS control panel, can you add A records for 192.117.103.217 and remove the URL redirects?


#3

The GoDaddy panel does not allow editing or deleting of the main a records.
I tried adding
a www.kiryat8.com 192.117.103.217 1 Hour
a kiryat8.com 192.117.103.217 1 Hour
but this did not help and I got the same errors.
Previously I had LetEncrypt running for months on my server.
I did renew the GoDaddy subscription but I think it was after I ran the renewal script.

a @ Forwarded 600 seconds
a zachkaplan 184.168.131.241 600 seconds
a zivkaplan 184.168.131.241 600 seconds

#4

Hi,

You’ll need to turn off the GoDaddy URL redirector before editing the A records directly…

Thank you


#5

I went to the Domain Manager page and deleted forwarding edited and restarted forwarding http:// to 192.117.103.217
and have the below:

a www.kiryat8.com 192.117.103.217 600 seconds Edit
a kiryat8.com 192.117.103.217 1 Hour Edit
a zachkaplan 184.168.131.241 600 seconds
a zivkaplan 184.168.131.241 600 seconds

Then I ran again
david@web:~$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


1: kiryat8.com
2: www.kiryat8.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1,2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for kiryat8.com
http-01 challenge for www.kiryat8.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.kiryat8.com (http-01): urn:ietf:params:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for www.kiryat8.com, kiryat8.com (http-01): urn:ietf:params:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for kiryat8.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.kiryat8.com
    Type: unknownHost
    Detail: No valid IP addresses found for www.kiryat8.com

    Domain: kiryat8.com
    Type: unknownHost
    Detail: No valid IP addresses found for kiryat8.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    david@web:~$


#6

My best guess is that GoDaddy is taking a while to update the DNS records. Maybe try again in a while.


#7

Hi,

Could you please double check your DNS records?
When I queried the DNS server directly, the server does mention that your domain is still using the URL forwarding service.

If you have disabled the URL forwarding and changed the IP addresses, do not turn the URL forwarding back on, since the domain is now directly resolved to your server (IP) instead of redirecting to the IP…

Thank you


#8

nslookup -q=ns kiryat8.com
kiryat8.com nameserver = ns57.domaincontrol.com
kiryat8.com nameserver = ns58.domaincontrol.com

nslookup kiryat8.com ns57.domaincontrol.com
Name: kiryat8.com
Address: 184.168.131.241

nslookup kiryat8.com ns58.domaincontrol.com
Name: kiryat8.com
Address: 184.168.131.241

The current IP doesn’t seem to match your posted IP:


#9

The IP address is still GoDaddy’s URL redirection service IP… I believe the OP turned the service off just to edit the record then turned it back on…


#10

OK. I previously added the a www.kiryat8.com a kiryat8.com and then reactivate forwarding,
No I removed the forwarding and will recheck in a hour with the commands you specified and let you know .
thanks


#11

Now there is:

www.kiryat8.com.        3561    IN      CNAME   kiryat8.com.

But there is no kiryat8.com. A record.

Instead, there’s a kiryat8.com.kiryat8.com. A record:

kiryat8.com.kiryat8.com. 3600   IN      A       192.117.103.217

Where you created the A record, you need to change the name from “kiryat8.com” to “@”, or maybe leave it blank, or maybe use “kiryat8.com.” with a “.” at the end.


#12

I reverted to @ instead of kiryat8.com and have the forwarding not setup and it worked!
Thank you for your patience.