Http-01 challenge failed for my subdomain


#1

I installed a ssl certificate for: http://kestrelcrm.co.uk using this guide:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04

That worked and was surprisingly painless.

I then used this;

When I did the last command it said that it had got a new certificate but http-01 challenge failed for http://crmwebsite.kestrelcrm.co.uk

This is using a Ubuntu OS Droplet on Digital Ocean.

Is this a DNS issue? I can see the subdomain on a computer in my workplace but not on my personal PC at home. Cable provider’s DNS Cache still seems out of date.

Is that the issue or am I doing something wrong?


#2

I don’t believe it’s possible to get a new certificate if the challenge fails. What was the exact output?


#3

Just did this command
/opt/letsencrypt/certbot-auto certonly --standalone -d crmwebsite.kestrelcrm.co.uk

Got this result:
<<
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for crmwebsite.kestrelcrm.co.uk
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

If I put http://crmwebsite.kestrelcrm.co.uk into my browser from the work PC it connects, if I do it on my home PC it is not found, I think this is because my cable supplier their DNS cache has not been updated. So I don’t really know if I have done something wrong or if it’s a DNS issue, I am suspecting the latter. If it isn’t the latter then any help would be most welcome.


#4

I just put crmwebsite.kestrelcrm.co.uk into https://letsdebug.net/ and it said all was OK, also tried https://dns.google.com/ and that seemed ok, so why is the challenge failing?


#5

you can’t use standalone if you run a webserver on port 80, use webroot instead.


#6

So I just ran this command:
/opt/letsencrypt/certbot-auto certonly --webroot -w /var/www/kestrelwebsite -d crmwebsite.kestrelcrm.co.uk

And got this:

IMPORTANT NOTES:

Given that my API and Web Front End are working when I try to use them from the browser and there is an A record for the top level domain and the Sub domains, what I now doing wrong?

Do I need to add addition AAAA records?


#7

Full Return:

Performing the following challenges:
http-01 challenge for crmwebsite.kestrelcrm.co.uk
Using the webroot path /var/www/kestrelwebsite for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. crmwebsite.kestrelcrm.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://crmwebsite.kestrelcrm.co.uk/.well-known/acme-challenge/wvz1qZ20UOUV_3Q3xB8itv0-iN32gjyZ9sPp31ESAas [134.209.18.223]: 404

IMPORTANT NOTES:

I am using nginx as a the server for dotnet applications that use kestrel.


#8

Full Return:

Performing the following challenges:
http-01 challenge for crmwebsite.kestrelcrm.co.uk
Using the webroot path /var/www/kestrelwebsite for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. crmwebsite.kestrelcrm.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://crmwebsite.kestrelcrm.co.uk/.well-known/acme-challenge/wvz1qZ20UOUV_3Q3xB8itv0-iN32gjyZ9sPp31ESAas [134.209.18.223]: 404

IMPORTANT NOTES:

<<


#9

I am using nginx as the server for dotnet applications that use kestrel don’t know if that has anything to do with the issues I am getting.


#10

Is that the correct webroot for the CRM?

If you place a file there e.g. at /var/www/kestrelwebsite/.well-known/acme-challenge/test can you access the file at http://crmwebsite.kestrelcrm.co.uk/.well-known/acme-challenge/test ?


#11

Have you tried certbot --nginx ?


#12

Please show results of:
grep -Eri 'root|server_name|location|directory' /etc/nginx


closed #13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.