First Time Certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: merivilla.com

I ran this command: sudo certbot certonly

It produced this output:

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Then I clicked 2. and put in merivilla.com exactly like that, not www. or http:// or https://

It produced this output:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: merivilla.com
  Type:   unauthorized
  Detail: 2607:f1c0:100f:f000::200: Invalid response from http://merivilla.com/.well-known/acme-challenge/gLb7HCI4iKkRllQq_nyOPpIt1dmsVyZw6szKLPV8DB8: 204

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Then I did: sudo lsof -i :80 to check what's on port 80
It produced NO output.

Then I did: sudo certbot certonly
It produced the output:

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Then I picked 1 and put in merivilla.com
It produced the output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: merivilla.com
  Type:   unauthorized
  Detail: 2607:f1c0:100f:f000::200: Invalid response from http://merivilla.com/.well-known/acme-challenge/pwKADZmYq_GHuwNH9M3-JiT3VDma6nqcEFjr-HxCm3c: 204

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): Not sure. I'm using Rumble Cloud

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: My domain is from IONOS. Then I did the "A" and the "www" thing and routed it to my rumble cloud's floating ip. I've tested webhooks using http merivilla.com with a mini Rust program I ran and it works.

I can login to a root shell on my machine (yes or no, or I don't know): I don't know.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no. I'm using the command line

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

I guess I can use nginx because after I run the certbot test and I do "sudo lsof -i :80" it shows nginx. Any help is greatly appreciated. This is my first time trying to get this certificate. I've been trying for a few days and can't seem to get anywhere.

Also, I do: sudo ufw status
and it outputs: Status: inactive.

My security Group rules:

image
image865×597 40.7 KB

I've looked at a few other topics and a guy says to run: sudo certbot certificates
and it outputs: No certificates found.

So the error is 204, right? Am I supposed to download some files to do the challenge or something?

Also, I'm very new to this, so please don't think it's your fault if I'm not understanding, I'm just a little slow.
P.P.S , sorry if the formatting is bad. I hope it still makes sense.

2

To get a certificate using Let's Encrypt (or any public ACME automated CA) you need to prove you control the domain and the two most common ways are HTTP validation (checking your webserver at that domain can provide a certain "challenge response" file) and DNS validation (checking your domain has a specific _acme-challenge TXT record). These challenge responses change for every renewal.

So to successfully use HTTP validation (which you are attempting) your domain needs to respond with the challenge response of HTTP (TCP port 80). There are many ways to achieve that but the most obvious is to use web server software running on your domains IP address.

The easy way to check your web server can do the job and there are no firewall [including geo-blocking] or routing issues is to browse to it from a public network over http e.g. http://merivilla.com should resolve and connect. Once you have that working you can move onto getting certificates.

[Edit]

curl -I http://merivilla.com
curl: (7) Failed to connect to merivilla.com port 80 after 684 ms: Couldn't connect to server

Your site is not accessible over public http currently. It may work for you, it doesn't work for Let's Encrypt when they try.

2 Likes
3

Welcome @fourarms

There are a couple problems with your approach but you are on the right track.

First, you have both IPv4 and IPv6 addresses in your DNS. Let's Encrypt prefers the IPv6 so uses that first.

And, an nginx server replies with a "204" when I try a test challenge to your domain using IPv6:

curl -i6 http://merivilla.com/.well-known/acme-challenge/Test404
HTTP/1.1 204
Server: nginx

But it fails entirely if I try IPv4. This isn't affecting Let's Encrypt cert validation but is why @webprofusion request could not reach your domain. Nor would anyone else using IPv4 (which is still very common).

Also puzzling is that requests to your "home" page using IPv6 see an Apache server. Not nginx.

curl -i6 http://merivilla.com
HTTP/1.1 200 OK
Server: Apache

So, what to do ...

Start by showing us output of these two commands to confirm the IP addresses in your DNS

curl -4 https://ifconfig.io
curl -6 https://ifconfig.io
4 Likes
4

Thank you for the help and thank you for the replies. This community is great.

when I type: curl -4 https://ifconfig.io
I get the output: 207.5.197.87
aka, my server's floating ip.

When I type: curl -6 https://ifconfig.io
I get the output: curl: (7) Couldn't connect to server

Edit:
When I type: curl -i6 http://merivilla.com
I get the output: curl: (7) Couldn't connect to server

When I type: curl -i4 http://merivilla.com
I get the output: curl: (7) Failed to connect to merivilla.com port 80 after 60 ms: Connection refused

But if I just did a certificate attempt using nginx, then when I type: curl -i4 http://merivilla.com, I get the output:
HTTP/1.1 400 Bad Request
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 27 Jun 2024 19:01:35 GMT
Content-Type: text/html
Content-Length: 242
Connection: keep-alive

400 Request Header Or Cookie Too Large

400 Bad Request

Request Header Or Cookie Too Large
nginx/1.18.0 (Ubuntu)

the outputs for: curl -i6 http://merivilla.com OR curl -4 https://ifconfig.io OR curl -6 https://ifconfig.io do not change from above

3 Likes
5

Thanks. Okay, so you should remove the AAAA record from your DNS. You don't have IPv6 working. After you get your system working on IPv4 (the A record IP) and get your cert you can return and work on IPv6 (if you wish). You will need a way to reliably test IPv6 access when you try that.

nslookup merivilla.com
A    Address: 207.5.197.87
AAAA Address: 2607:f1c0:100f:f000::200

So, after the AAAA record is removed we can proceed to part 2 :slight_smile:

An nginx server is replying to an HTTP request to your domain. But, can you explain more what kind of system should handle HTTP and HTTPS requests when this is all working?

That nginx server says it is 1.18 and on Ubuntu. Which conflicts with info in your first post. Could this nginx be on a firewall or in that "rumble cloud" setup somewhere?

2 Likes
6

Your replies are very helpful. Thank you.

  1. I removed the AAAA record from @ and www
  2. can you explain more what kind of system should handle HTTP and HTTPS requests when this is all working?
    So basically, all I want the server to handle is webhooks notifications from Telegram and Whatsapp. I have a tiny program in Rust that I just want to have running in the background the whole time. I will update it later but this is it right now
    Edit: No, I do not have the Rust program running when I'm doing the cert. I get the port 80 error if I try.
async fn main() {
   // POST /webhook
   let webhook_route = warp::path("webhook")
       .and(warp::post())
       .and(warp::body::json())
       .map(|payload: WebhookPayload| {
           println!("Received webhook: {:?}", payload);
           warp::reply::json(&payload)
       });

   warp::serve(webhook_route)
       .run(([0, 0, 0, 0], 80))
       .await;
}

The reason I need the certificate is because when I try to connect to the webhooks for Telegram API, Telegram needs my website to be https.

  1. That nginx server says it is 1.18 and on Ubuntu. Which conflicts with info in your first post. Could this nginx be on a firewall or in that "rumble cloud" setup somewhere?
    I'm not sure but I may have accidentally downloaded nginx using the sudo commands when trying to troubleshoot the issue. Should I try to uninstall it?
1 Like
7

Did you also configure it?

Because it behaves more like an nginx system that is pre-built in a firewall device or cloud service.

I say that because requests to the "home" page get a "400 Bad Request". But , a simulated HTTP Challenge as part of a cert request gets an expected "404 Not Found". Some nginx recognizes that path which nginx does not do by default

curl -i4 http://merivilla.com/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
2 Likes
8

I did configure it. But honestly, I didn't see any "Nginx" in the configuration process. I'm trying to look at the docs again, but it seems the docs.rumble.cloud site is down. No worries, Archive has it. This is basically the guide that I followed:
Create a virtual machine on a private network - Rumble Cloud Documentation (archive.org)

I'm looking for the word nginx but it's only on the docs under "Kubernetes"

I hope that helps.

9

Not really. I think you would know if you have Kubernetes clusters :slight_smile:

Can you show output of this. We'll see if that nginx is on your Ubuntu or, as I suspect, actually "in front of" it.

sudo netstat -pant | grep -i listen | grep -Ei ':80|:443'

(replace netstat with ss if you do not have it)

3 Likes
10

When I type: sudo netstat -pant | grep -i listen | grep -Ei ':80|:443'
The output is:

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4058/nginx: master
tcp6 0 0 :::80 :::* LISTEN 4058/nginx: master

11

You definitely have an nginx system listening on port 80

You can either keep it and learn how to configure it so it can process the HTTP Challenge for a cert

Or, get rid of it and use the --standalone option of Certbot. That sets up a temporary server on port 80 to handle that challenge.

Or, you could switch to a DNS challenge but that is often harder to automate. and, needs a DNS provider with an API to allow dynamic changes. I'm not familiar with your provider off-hand.

5 Likes
12

Awesome. Thank you. I will go for the --standalone option. So next step for me: learn how to get rid of the nginx system listening on port 80. I will update you when I do so.

1 Like
13

I just realized the instructions you described were for a private network. To be a webhook receiver you'll need to be on a public network somehow. Same for getting a cert using the HTTP Challenge.

You may just want to post at that Rumble support forum. The need to get certs for apps in their environ must be common. They probably have some suggestions.

3 Likes
14

So I followed your instructions and removed nginx using:

sudo systemctl stop nginx
sudo systemctl disable nginx
sudo apt-get remove --purge nginx nginx-common
sudo rm -rf /etc/nginx

Then I ran: nginx -v
to see if I still had nginx and it said "Command 'nginx' not found

Then i ran: sudo lsof -i :80
and no output

Then I ran: sudo netstat -pant | grep -i listen | grep -Ei ':80|:443'
and no output

Then I restarted the machine and ran: sudo certbot certonly
Then it outputted:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

I typed 1 and hit enter. Then I put in merivilla.com
and it outputted:

Requesting a certificate for merivilla.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/merivilla.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/merivilla.com/privkey.pem
This certificate expires on 2024-09-25.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Does this mean I got the certificate???

2 Likes
15

Affirmative. :slight_smile:

4 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.