Getting certificate for website

haris16 · April 2, 2024, 4:57am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: careerfair.sec.tamu.edu

I ran this command: sudo certbot certonly --webroot

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Please enter the domain name(s) you would like on your certificate (comma and/or

space separated) (Enter 'c' to cancel): careerfair.sec.tamu.edu

Requesting a certificate for careerfair.sec.tamu.edu

Input the webroot for careerfair.sec.tamu.edu: (Enter 'c' to cancel): /Users/sec/Documents/GitHub/CareerFair

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: careerfair.sec.tamu.edu

Type: unauthorized

Detail: 104.236.45.130: Invalid response from https://careerfair.sec.tamu.edu/.well-known/acme-challenge/8FnOLGA5wkhnMRSCPKYGuP88vziVnpLoCJnsXXcghJk: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx (I don't know the version)
The operating system my web server runs on is (include version): MacOS 10.12.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I am not sure

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

Additional information: For the past few years, our institution helped us get our certificates, but now they want us to renew it on our on. This specific website is different than the others. The only way we can update it is by going onto the mac, pulling the latest changes, and then running "cap production deploy". I am not familiar with this website at all and am struggling to renew this certificate. For the webroot, I am putting the location of the github repo (/Users/sec/Documents/GitHub/CareerFair
), and that hasn't seemed to work. I have tried with other folders, like public, app, config, and they don't seem to work either. Does anyone have any advice?

I can post the log file as well, I just wasn't sure if it was safe to do so.

rg305 · April 2, 2024, 5:01am

I see that you are using --webroot [/Users/sec/Documents/GitHub/CareerFair], we should check the nginx configuration to be sure that is correct.

Please show:
nginx -T
certbot certificates

If a cert already exists, try:
certbot renew

rg305 · April 2, 2024, 5:07am

Also, there is a certificate issued by Sectigo that is good until April of next year: crt.sh | 12339464561

Where did that go?

JamesLE · April 2, 2024, 5:19am

A post was merged into an existing topic: The key update in MDaemon is not going through

haris16 · April 2, 2024, 5:39am

I have left the office so I can't run those commands until tomorrow morning. We have the Sectigo certificates (PEM encoded and PKCS#7), but were advised to move to something that renews automatically. For the time being, do you have any advice for adding those certificates to the website?

Thank you so much for your quick reply, the help is much appreciated.

rg305 · April 2, 2024, 5:53am

That cert is good for a year.
So, that would give you plenty of time to figure out how to obtain and renew another cert.

That said, the current cert will expire in 24 days:
SSL Server Test: careerfair.sec.tamu.edu (Powered by Qualys SSL Labs)

Unfortunately, I know next to nothing about your web site configuration; So, I won't be much help with the "how to do anything to it".

haris16 · April 2, 2024, 6:00am

Is there any specific info I could provide you with to give you some context as to how our website configuration is setup. For some background, It's deployed through a mac via a remote repo onto Heroku. Are any specific file paths I should look for in order to use the sectigo certficate?

rg305 · April 2, 2024, 6:08am

Unfortunately, this is not a forum for such advice...
So, for me, sorry - [no thank you].

But feel free to post your specific request and some detailed information and maybe someone will come along with the knowledge and who is willing to help you with that problem.
AND/OR
You could [also] post on a support forum more in line with such problems.

rg305 · April 5, 2024, 4:52am

I see that the site is now using the Sectigo cert valid until March 25th of next year.

But I also see that there are chain issues.
[I also see that some weak protocols are in use and many weak ciphers are enabled]
For a comprehensive detailed review, see:
SSL Server Test: careerfair.sec.tamu.edu (Powered by Qualys SSL Labs)