How should a domain name be like?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I ran this command:
sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d www.example.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for www.josh.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.josh.com
Type: unauthorized
Detail: 18.217.156.232: Invalid response from http://www.josh.com/.well-known/acme-challenge/kFX8voXMf5ilwBTjcv6oCww8RtXgGmMjzxyj4H_NEns: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

There is a Windows IIS server responding to HTTP requests for that domain name

Request to: www.josh.com/18.217.156.232, Result: [Address=18.217.156.232,Address Type=IPv4,Server=Microsoft-IIS/10.0

Why did you choose the --apache plugin with Certbot?

I also recommend not using --hsts and --staple-ocsp until you are experienced enough to fully understand them. You can always add those later once you understand them and think you still need them.

3 Likes

--staple-ocsp you shouldn't use even if you are experienced enough, I'd say. It enables the ocsp must staple certificate extension.

If I remember correctly, best practice is to staple without must staple. (This is a TLS server config, see ssl-config.mozilla.org)

2 Likes

@Josh-dotcom-prog Are you the actual owner of josh.com? I'm guessing you're not based on a combination of factors here. That site has successfully used certificates from Let's Encrypt since 2016.

You can only get publicly-trusted certificates for domain names that you own or control. Normally you purchase these from a domain registrar.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.