Failed authorization procedure. zpanelimage.hostwindsdns.com (tls-sni-01)


#1

I’m having trouble implementing encryption on my site, and I’m hoping you folks can help. As you can see from the error below, the domain that’s coming up isn’t my actual domain, but rather a domain name related to my web host.

My domain is: AyaAdvisors.org

I ran this command: ./path/to/certbot-auto --apache

It produced this output:
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: zpanelimage.hostwindsdns.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel):advantagenllc@gmail.com

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for zpanelimage.hostwindsdns.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. zpanelimage.hostwindsdns.com (tls-sni-01): urn:a            cme:error:connection :: The server could not connect to the client to verify the             domain :: DNS problem: NXDOMAIN looking up A for zpanelimage.hostwindsdns.com

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to advantagenllc@gmail.com.
 - The following errors were reported by the server:

   Domain: zpanelimage.hostwindsdns.com
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up A for
   zpanelimage.hostwindsdns.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

My operating system is (include version): CentOS 6.8

My web server is(include version): Apache 2.2.15

My hosting provider, if applicable, is: HostWinds

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, ZPanel


#2

This will be because your apache config refers to zpanelimage.hostwindsdns.com

I’d suggest using the “certonly” and “webroot” option to obtain your certificate, and then install the certificate in your ZPanel manually. Once that has been done, you can check in your apache config where ZPanel places teh certificates ( I’m not sure, I don’t use ZPanel), and then create a symling in that location your certs at /etc/letsencrypt/live/… Everything should then renew automatically ( although you will need to reload apache on a renewal )


#3

what is you os image?
i tried using certboot on debian 8 not worked.


#4

Do you know if there are any instructions for this on the LetsEncrypt website?

I’ve already poked around the Apache config, and I don’t see anything that refers to zpanelimage.hostwindsdns.com. And it’s certainly not anywhere in the DNS config either.

Would you please also clarify what you mean about reloading apache on renewal? Do you mean that when the cert renews, I’d need to restart apache?


#5

I’m sorry, I’m not sure what you mean by ‘os image’. I know what type and version the OS is (see above), and I know what an image is, but I guess I’m not clear on what you’re asking exactly.


#6

You can see the certbot documentation for using webroot at https://certbot.eff.org/docs/using.html#webroot

I’d suggest simply doing a grep ( grep -Ri zpanelimage /etc/httpd/* )

Yes, when you get new certs you will need to reload apache ( I’m saying reload, rather than restart, as reload or graceful doesn’t stop people connecting to apache, whereas a complete restart does )


#7

When I attempt those steps, it reports:
-bash: certbot: command not found

I just have certbot-auto, and I’m not sure how to install just certbot.

Plus, I tried changing the server name and server alias in the httpd-vhosts.conf file and restarted httpd, but then my domain only took me to the ZPanel login page, haha.

Any other advice you may have would be appreciated.


#8

@advantagen, whenever instructions refer to running certbot, you can run certbot-auto (with the appropriate path). Some people install Certbot from an operating system package manager, and then they have a bare certbot command which does the same thing; a lot of documentation is written assuming this, but the two different ways of running the program should do the same thing.


#9

Thank you, sir. You’re most helpful!

With that out of the way, my next challenge is that it’s telling me it’s getting an invalid response:

[root@cvps9890273745 ~]# ~/certbot-auto certonly --webroot -w /var/zpanel/hostdata/zadmin/public_html -d ayaadvisors.org -d www.ayaadvisors.org
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ayaadvisors.org
http-01 challenge for www.ayaadvisors.org
Using the webroot path /var/zpanel/hostdata/zadmin/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ayaadvisors.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ayaadvisors.org/.well-known/acme-challenge/<wasn't sure if I should edit out this part, but it was just letters and numbers>: "<!DOCTYPE html>
<!--[if lt IE 7 ]> <html class="ie6" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]-->
<!--[if IE 7 ]>  ", www.ayaadvisors.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.ayaadvisors.org/.well-known/acme-challenge/<wasn't sure if I should edit out this part, but it was just letters and numbers>: "<!DOCTYPE html>
<!--[if lt IE 7 ]> <html class="ie6" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]-->
<!--[if IE 7 ]>  "

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ayaadvisors.org
   Type:   unauthorized
   Detail: Invalid response from
   http://ayaadvisors.org/.well-known/acme-challenge/<wasn't sure if I should edit out this part, but it was just letters and numbers>:
   "<!DOCTYPE html>
   <!--[if lt IE 7 ]> <html class="ie6" lang="en-US" prefix="og:
   http://ogp.me/ns#"> <![endif]-->
   <!--[if IE 7 ]>  "

   Domain: www.ayaadvisors.org
   Type:   unauthorized
   Detail: Invalid response from
   http://www.ayaadvisors.org/.well-known/acme-challenge/<wasn't sure if I should edit out this part, but it was just letters and numbers>:
   "<!DOCTYPE html>
   <!--[if lt IE 7 ]> <html class="ie6" lang="en-US" prefix="og:
   http://ogp.me/ns#"> <![endif]-->
   <!--[if IE 7 ]>  "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Do you have any idea what might be causing this? When I check the .well-known directory, it’s empty.


#10

If you create a simple text file at .well-known/acme-challenge/test with the contents “OK” can you reach it at

ayaadvisors.org/.well-known/acme-challenge/test


#11

Thank you for the tip! Should I name the text file anything in particular?


#12

It can be anything, without an extension. My suggestion was simply “test”


#13

EDIT: Never mind, I wasn’t specifying the correct directory. It should’ve been public_html/ayaadvisors_org, and I was just specifying public_html. Now to figure out the next steps…


#14

There may be a slight confusion here - I wasn’t suggesting you ran certbot at all.

Simply create a text file in your webroot/.well-known/acme-challenge called “test” (where webroot is the directory where the main “index.htm” or “index.php” file is for your website.

Once you have done that, use your browser to try and get to ayaadvisors.org/.well-known/acme-challenge/test

If you can’t get to it, then either;

  • the location is incorrect
  • the permissions are incorrect
  • you have some redirects (.htaccess or config ) preventing you reaching that location.

Whichever the cause, this needs fixing so that you can reach that location.

Once you have the correct location, what certbot command are you using ?


#15

Yes, if you go to that address, you can see the “OK”.

With that established, I ran the following command and received the following output:

[root@cvps9890273745 ~]# ~/certbot-auto certonly --webroot -w /var/zpanel/hostdata/zadmin/public_html/ayaadvisors_org -d ayaadvisors.org -d www.ayaadvisors.org -d ayaadvisors.com -d ayaadvisor.net -d ayaadvisors.net
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ayaadvisors.org
http-01 challenge for www.ayaadvisors.org
http-01 challenge for ayaadvisors.com
http-01 challenge for ayaadvisor.net
http-01 challenge for ayaadvisors.net
Using the webroot path /var/zpanel/hostdata/zadmin/public_html/ayaadvisors_org for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /var/zpanel/hostdata/zadmin/public_html/ayaadvisors_org/.well-known/acme-challenge
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ayaadvisors.org/fullchain.pem. Your cert will
   expire on 2017-04-28. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

So I guess now I just need to figure out how to install the certificate in ZPanel and activate SSL.


#16

Yes, you have the certificate now - excellent :slight_smile: good luck with the zpanel bit.


#17

Haha, thank you. If I get it figured out, I’ll update this post so that future schmucks can follow in my footsteps.


#18

That would be great, Thanks. http://www.linuxtweaks.in/install-ssl-certificate-with-zpanel/ might help.


#19

Quick follow-up question. In the instructions you linked to and in others I’m seeing, it references .key, .crt, and .ca-bundle files, but all I have are .pem files.

Is that problematic? I’m kinda fumbling in the dark here.


#20

They are the same thing ( just different extensions )

privkey.pem - the private key
cert.pem - the certificate
chain.pem - the CA chain file
fullchain.pem - the certificate and chain files combined into one.

What version of apache are you using ? 2.2.15 looking at above, so it will be …

SSLCertificateFile      /etc/letsencrypt/live/ayaadvisors.org/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/ayaadvisors.org/chain.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/ayaadvisors.org/privkey.pem