First time making an https server and stuck at figuring out why it's failing these challenges of creating them and using them to verify my server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: noskc.com

I ran this command: sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: noskc.com
2: www.noskc.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
*blank to select all options shown (Enter 'c' to cancel): *
Requesting a certificate for noskc.com and www.noskc.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Apache/2.4.52
The operating system my web server runs on is (include version):
Ubuntu 22.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

That's a very old version of certbot (current is 2.80), but that probably isn't what's causing your problem. What I'm noticing is that noskc.com and www.noskc.com are resolving to different IP addresses. And if I dig a little further, I see that both IP addresses belong to noskc.com. Checking a bit futher, it appears they both serve a redirect to http://173.18.238.44/ This isn't going to work; you'll need to correct your DNS entries to point to your actual IP address.

4 Likes

AND...
A redirect changes the URL [in your address bar].
So, a redirect to: http://173.18.238.44/
Makes your request turn into HTTP [and to an IP - not a name].
[one is forcibly insecure, the other can't be secured via an LE cert]

3 Likes

Here is what I see for DNS:

3 Likes

Let’s Encrypt offers Domain Validation (DV) certificates; and not IP Addresses.

3 Likes

And https://letsdebug.net/noskc.com/1784050 shows

MultipleIPAddressDiscrepancy
WARNING
noskc.com has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=3.33.152.147,Address Type=IPv4,Server=ip-10-123-123-186.ec2.internal,HTTP Status=404] vs [Address=15.197.142.173,Address Type=IPv4,Server=ip-10-123-122-53.ec2.internal,HTTP Status=404]
3 Likes

This looks like you are using a GoDaddy hosting service? Yes?

If so, you have their URL Redirect setup. You need to disable that and setup a DNS A record pointing directly to the public IP of your Apache server.

4 Likes

That helped a bit with learning that GoDaddy's URL Redirect was needing to be turned off. Thanks for that info.

3 Likes

With me correcting my DNS entries to point to my actual IP address does that mean disabling the goDaddy url redirect? I thought I was pointing it to the right ip address, but if I'm not then do I do that from the router specifically or do I need to go through the terminal to set the ip address?

So I am forcing it to redirect into an http? Is that only because of goDaddy or something else I'm missing?

That was all Godaddy.
Check your actual IP:

  • curl -4 ifconfig.me
  • web search "What Is My IP?"

With what is found in global DNS:

  • nslookup noskc.com
  • nslookup www.noskc.com

If they match, then continue with obtaining a cert.
If they don't match, stop and update the global DNS zone.

3 Likes

@SilverKnight317 Just checking in and note this is definitely not your public IP :slight_smile: Be sure to follow guide in previous post by @rg305

noskc.com.     1800    IN      A       127.0.0.53
3 Likes

yeah, lol, I don't know why the heck I typed that and have just corrected it!

Okay! I got the certification and just need to make sure the cert is applied. Thanks guys!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.