Failure to get certs

cyberteq007 · April 26, 2024, 7:10pm

below is a copy of the errors I'm getting. I have the subdomain pointing to the vps, but its working. Can someone advise?

INFO - fetching certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for chat.redfoxsound.com
http-01 challenge for element.chat.redfoxsound.com
http-01 challenge for matrix.chat.redfoxsound.com
Waiting for verification...
Challenge failed for domain chat.redfoxsound.com
Challenge failed for domain element.chat.redfoxsound.com
Challenge failed for domain matrix.chat.redfoxsound.com
http-01 challenge for chat.redfoxsound.com
http-01 challenge for element.chat.redfoxsound.com
http-01 challenge for matrix.chat.redfoxsound.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: chat.redfoxsound.com
Type: unauthorized
Detail: 102.130.122.228: Invalid response from
http://chat.redfoxsound.com/.well-known/acme-challenge/gCRxOv7qCA4jNAyjbHClM8pqgqAzmE8fkqULRCag7sQ:
404

Domain: element.chat.redfoxsound.com
Type: unauthorized
Detail: 102.130.122.228: Invalid response from
http://element.chat.redfoxsound.com/.well-known/acme-challenge/V42MEz0HDpa4-t9ggP0rHYdfSM_QZlEpG-QtGHNxw84:
404

Domain: matrix.chat.redfoxsound.com
Type: unauthorized
Detail: 102.130.122.228: Invalid response from
http://matrix.chat.redfoxsound.com/.well-known/acme-challenge/_pCYBKa7PNyKJ5QRTOWj4yel9KsaFc_89lqpfA8YVRQ:
404

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
ERR - Certificate install seems to have failed!
WARN - Continuing without setting up a certificate
WARN - You will need to configure SSL yourself!
WARN - This scipt might FAIL if your certificate is not configured properly (by you)!
INFO - Configuring nginx to run with our certificate
INFO - Setting up virtual hosts in nginx
ln: failed to create symbolic link '/etc/nginx/sites-enabled/matrix': File exists
INFO - restarting nginx
INFO - waiting up to 10 seconds to ensure nginx is started properly
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
ERR - failed to set up Matrix
FAIL - irrecoverable error, quitting

The correct IP is listed next to the correct subdomains, and main domains accordingly.

griffin · April 26, 2024, 7:15pm

Welcome to the Let's Encrypt Community, David!

Let me check a few things... just a minute...

griffin · April 26, 2024, 7:21pm

Basic checks passed...

hmm.... one sec...

griffin · April 26, 2024, 7:27pm

What is the output of this command?

sudo nginx -T

Please put 3 backticks on the lines above and below the output like this:

```
output
```

rg305 · April 26, 2024, 7:59pm

After we review the nginx config [or during], we should also look at why HTTP returns 200 while HTTPS returns 404.
Here is one example:

HTTP 200

curl -Iik http://matrix.chat.redfoxsound.com/
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Fri, 26 Apr 2024 19:57:21 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Mon, 11 Mar 2024 19:43:53 GMT
Connection: keep-alive
ETag: "65ef5ef9-267"
Accept-Ranges: bytes

HTTPS 404

curl -Iik https://matrix.chat.redfoxsound.com/
HTTP/1.1 404 Not Found
Server: nginx/1.22.1
Date: Fri, 26 Apr 2024 19:57:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 140
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'none'
X-Content-Type-Options: nosniff

griffin · April 26, 2024, 8:45pm

Interesting observation, @rg305. I get non-Express 404s for all of the following HTTP requests:

The 404 you identified for HTTPS requests appears to be coming from Express.

I suspect that there aren't server blocks setup to serve actual content for HTTPS requests for the subject subdomain names. I believe these results confirm my suspicions of default HTTPS responses (of 404) for the nonexistent content of the subject subdomain names:

Any request for HTTPS content for the subject subdomain names results in a response body of:

Cannot GET (path)

This, of course, won't matter at present for ACME HTTP-01 challenge requests made via HTTP, since there are no HTTP->HTTPS redirects present yet.

rg305 · April 26, 2024, 9:29pm

I wonder if this is shared hosting?
I see a valid cert from a completely different domain:

---
Certificate chain
 0 s:CN = hayato-technologies.co.za     <<<<<<<<<<<<<<<<<<<<<<<<<
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 18:43:50 2024 GMT; NotAfter: Jun 11 18:43:49 2024 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
---

Name:    hayato-technologies.co.za
Address: 102.130.122.228

Name:    chat.redfoxsound.com
Address: 102.130.122.228

griffin · April 26, 2024, 10:34pm

I suspect that it is either shared hosting (amongst unrelated users/sites) or dedicated hosting (amongst related users/sites). If the former, how configurable nginx may be could be brought into question. If the latter, it's probably a matter of untangling the nginx configuration.

schoen · April 27, 2024, 2:17am

The --standalone method is meant for use when you don't have an existing web server running, but it looks like you do have one, so you might want to use a different method than --standalone!

griffin · April 27, 2024, 4:23am

I shoulda noticed that, @schoen.

cyberteq007 · April 27, 2024, 5:59pm

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/chat.redfoxsound.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/chat.redfoxsound.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

cyberteq007 · April 27, 2024, 6:01pm

102.130.122.228 is the IP of a Cloud Container (aka VPS). Unfortunately budget is a big issue for me, as I'm not able to afford the bigger fancy servers, so I just got what I could afford.

But I sincerely appreciate everyone's help and suggestions.

cyberteq007 · April 27, 2024, 6:04pm

Thanks. Not sure what other method there is. I guess this will be a bust for now then.... )-: Thanks anyways to you all for your advice.

griffin · April 27, 2024, 7:07pm

Yeah... that means that you'll need to either modify your nginx config to remove the offending port 443 server block so certbot can reinstall it or you'll need to replace fullchain.pem with a dummy/snakeoil/default/replacement cert so nginx can load. You might be able to use certbot certonly --standalone to acquire the replacement cert then restart nginx to get it to load. If you do this, you'll want to update your certbot config for that cert afterwards to use --nginx going forward.

schoen · April 29, 2024, 2:37am

The different Certbot methods are described at

https://eff-certbot.readthedocs.io/en/stable/using.html#getting-certificates-and-choosing-plugins