Failed to Authenticate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

example.com (obfuscated)

I ran this command:

sudo certbot -v --dry-run certonly --nginx

It produced this output:

Simulating a certificate request for example.com
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Challenge failed for domain example.com
http-01 challenge for example.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: example.com
  Type:   connection
  Detail: 300.201.202.203: Fetching http://example.com/.well-known/acme-challenge/3fGa6pHpTbgNNtExtgQNJE7C1SCCOT1AaLj54jPMzUs: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version):

nginx version: nginx/1.14.1

The operating system my web server runs on is (include version):

NAME="AlmaLinux"
VERSION="8.7 (Stone Smilodon)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.7"
PLATFORM_ID="platform:el8"
PRETTY_NAME="AlmaLinux 8.7 (Stone Smilodon)"

My hosting provider, if applicable, is:

none/myself

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.22.0

#############################################################

The domain is not viewable as I can't get certbot to work. I've tried it several times and always get Error getting validation data. I can still see the webserver (nginx) and it is serving the domain up properly. This is not a renewal.

Does anybody know why this would happen? When published viewable to the internet, I can definitely see this domain.

2

Welcome to the community @BeeRich

You say the domain is obfuscated. Is [redacted].com the domain you are trying to get a certificate for?

Because it has two IP addresses in the DNS A records but I can only reach one of them from my own test server. Yet, other test servers (like Let's Debug) can get a response from both.

Can you explain the two IP addresses?

Also see Let's Debug test site (link here)

4 Likes
3

YesNo. I just wanted readers to know it's not viewable, and I switch my router to make it visible, solely for getting the certs in place. In other words, [redacted].com is not my real domain name.

Two IP addresses? Where do you see that? Again, I've changed the domain name for posting here in the forum.

I just checked for my proper domain, and there's only one DNA A record for both www.mydomain and mydomain.

4

For [redacted].com. Please do not use other people's valid domain names when reporting problems with your own.

If you want help with what might be a comms config problem please let us know your real domain name

6 Likes
5

You might want to consider using the DNS-01 challenge you can read about the Challenge Types - Let's Encrypt here.

4 Likes
6

I've changed all occurrences of "someone else's domain" to "example.com" or "[redacted]".

8 Likes
7

Just to help keep all informed here is what example.com is registered for.

Example Domain

This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.

More information...

5 Likes
8

Yes. Becomes a quick issue when you're dealing with multiple domains.

9

Have you resolved your problem? You haven't given us much info to work with including your actual domain name.

Is a Let's Debug test successful to your domain (link here)

6 Likes
10

I'm still investigating options.

11

Find multiple non-owned and non-used Domain Names please to use for example.com
Maybe

  1. aaa.example.com
  2. bbb.example.com
  3. ccc.example.com
  4. ddd.example.com
3 Likes
12

In addition to example.com, RFC 2606 reserves example.net and example.org.

Four TLDs are also reserved:

.test
.example
.invalid 
.localhost
7 Likes
13

Nice, even better! :slight_smile:

5 Likes
14

Those are machine names, not domains.

15

You do NOT know that.

It could be for the machine names:

  1. m1.aaa.example.com
  2. m2.aaa.example.com
  3. m3.aaa.example.com
4 Likes
16

They are all the same domain, not different domains. I know that.

17

Here are 4 domain names (yes subdomains of example.com) with 3 machine (host) names each:

3 Likes
18

You seem to refer to different things, which is probably what's causing confusion:

@BeeRich seems to refer to the "effective second-level domain" (eSLD), aka "registered domain name". "example.com" is an eSLD, "example.co.uk" is also an eSLD. www.example.com is not an eSLD.
@barf7709 on the other hand seems to refer to a fully qualified domain name (FQDN) (or parent domains of FQDNs). "www.example.com" is a FQDN, which is in itself a subdomain of example.com.

From a definition viewpoint, both of these things are domains - so you're both correct.

For illustration purposes it might indeed make sense to keep the original hierarchy, i.e. if the original domain was an eSLD also use an eSLD in examples. This can make it easier to understand for cases where this distinction matters. Otherwise, if it's clearly stated what the registered domain is supposed to mean it's fine as well.

7 Likes
19

Thank you @Nummer378 for your clear and thoughtful explanations. :slight_smile:

7 Likes
20

Yes, and no.
Subdomain names are also domain names.
As an example:
[*.]city1.company.test
[*.]city2.company.test
Each can be handled individually by two separate IT departments [in different cities/countries].

6 Likes