Getting cert failied

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:backbencher.ml

I ran this command:

certbot certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email u@backbencher.ml -d backbencher.ml

It produced this output:

Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for backbencher.ml
Waiting for verification…
Challenge failed for domain backbencher.ml
http-01 challenge for backbencher.ml
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: backbencher.ml
  Type: unauthorized
  Detail: Invalid response from
  http://backbencher.ml/.well-known/acme-challenge/ShthhHuwDYz2rbu3DcyXoEvG6JhWUolpe7GDyi5aq9Q
  [195.20.51.121]: “\n\n\n \n
  <titl”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.
  My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @ugandhar84

where do you run Certbot? On that ip 195.20.51.121?

If yes, it should work.

If not, it can't work.

--standalone is hard to debug. Isn't it possible to start there a webserver you can use?

So you can test the webserver without running Certbot.

@JuergenAuer, agreed.
There is a valid nginx server already running on port 80.
Perfectly capable of handling the http auth request:

curl -Iki http://backbencher.ml/.well-known/acme-challenge/ShthhHuwDYz2rbu3DcyXoEvG6JhWUolpe7GDyi5aq9Q
HTTP/1.1 200
Server: nginx
Date: Sat, 19 Sep 2020 19:24:46 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:01 GMT
X-Server: ip-172-31-21-235

But it seems to be return 200 and this content for all requests:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">

<html>
  <head>
    <title>backbencher.ml</title>
    <meta name="description" content="backbencher.ml">
    <meta name="keywords" content="backbencher.ml">
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <script type="text/javascript">
        var _gaq = _gaq || [];
        _gaq.push(['_setAccount', 'UA-23441223-3']);
        _gaq.push(['_setDomainName', 'none']);
        _gaq.push(['_setAllowLinker', true]);
        _gaq.push(['_trackPageview']);
        (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
            ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
            var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
        })();
    </script>
  </head>
  <frameset rows="*">
    <frame frameborder=0 src="http://backbencher.ml" name="dot_tk_frame_content" scrolling="auto" noresize>
  </frameset>
</html>

Oh, what's that?

I've checked

http://backbencher.ml/.well-known/acme-challenge/ShthhHuwDYz2rbu3DcyXoEvG6JhWUolpe7GDyi5aq9Q

there a timeout.

But

http://backbencher.ml/

works.

May be the hoster blocks /.well-known/acme-challenge or it's a proxy configuration.

It may be a Freenom parked page.

And now all the nameservers are missing:

nslookup -q=ns backbencher.ml a.ns.ml
Address:  185.21.168.1

ml
        primary name server = a.ns.ml
        responsible mail addr = info.malidili.com
        serial  = 1600544051
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 5 (5 secs)

OR

This must be a very newly registered domain name.

Domain registration shows 4 nameservers:

But they don’t have information for this domain…

image1027×296 14.2 KB

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.