I cant install certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:cointex.live

I ran this command:certbot certonly --standalone --email "massimomaxima@gmail.com" --agree-tos --no-eff-email --force-renewal -d cointex.live -d www.cointex.live

It produced this output:Requesting a certificate for cointex.live and www.cointex.live

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.cointex.live
Type: unauthorized
Detail: 138.68.189.23: Invalid response from http://www.cointex.live/.well-known/acme-challenge/Qpvgedks4W667xRiCSgiTPw6_pM9994ixaHxQMuY8X0: 403

Domain: cointex.live
Type: unauthorized
Detail: 138.68.189.23: Invalid response from http://cointex.live/.well-known/acme-challenge/IZ636pKRH5_-pH1xvJkGcX5NSBps6AL2kVmwvG2yb8A: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version):vps

The operating system my web server runs on is (include version):ubuntu Ubuntu 22.10 x64

My hosting provider, if applicable, is:digital ocean

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.29.0

2

The --standalone option needs the use of port 80 to receive the HTTP request from the Let's Encrypt servers.

You have an nginx server responding on port 80. And, it responds with an HTTP 403 for any request (even the home page).

You should look at using --webroot or --nginx with that nginx server. Or, make sure nginx is stopped before using --standalone. If you do this you will also need to stop nginx for every renewal using --standalone which is not what most people want.

7 Likes
3

Additionally, it looks like a server misconfiguration to me.

rip:T430 ~ >>  header http://cointex.live
HTTP/1.1 403 Forbidden
Server: nginx/1.23.3
Date: Wed, 29 Mar 2023 12:24:46 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

rip:T430 ~ >>  header https://cointex.live
curl: (7) Failed to connect to cointex.live port 443 after 175 ms: Connection refused

Hence the following error:

6 Likes
4

okay. thank you

1 Like
5

Also it looks to me like you have already obtained certs for your domain.

Screenshot_20230329_053244
Screenshot_20230329_053244926×361 67.5 KB

Is it possible to use one of them?

5 Likes
6

how do i configure it correctly?

7

yes i will like to use it. how do i re-install it

8

@MikeMcQ knows a lot more about nginx configurations than I.
But for starters as he stated earlier:

But it is impossible unless the ports are open on your firewall or IDS or whatever (router)

rip:T430 ~ >>  nmap -p 22,80,443 cointex.live
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-29 05:39 PDT
Nmap scan report for cointex.live (138.68.189.23)
Host is up (0.17s latency).

PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

Even when one of your current certs are configured, you still need to open port 80 and 443 if you expect the site(s) to be available publicly.

6 Likes
9

thank you. how do i open the port?

2 Likes
10

Your ports were open earlier otherwise rip would not have seen the response to the "header" request for HTTP. And, Let's Encrypt servers also saw 403 error.

It looks like you now stopped nginx. Did you?

6 Likes
11

yes i did

12

What does this show

certbot certificates
6 Likes
13

Found the following certs:
Certificate Name: cointex.live
Serial Number: 4cedc1103e0f5cad0a60afb880696d71548
Key Type: RSA
Domains: cointex.live www.cointex.live
Expiry Date: 2023-06-27 11:41:38+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/cointex.live/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cointex.live/privkey.pem

1 Like
14

That depends on your environment in which I an not an expert.
You are running vps on digital ocean with nginx. The syntax is different than what I am proficient at.
I am not fluent on nginx or vps configs. An expert with your configuration will help you.
@MikeMcQ or @rg305 might be close by...

6 Likes
15

okay
thank you

1 Like
16

Excellent. You have your cert and private key files on your machine. You just need to configure nginx to use them.

You can do that manually or use the --nginx plug-in to help. For manual changes refer to

I recommend NOT using HSTS or Stapling until after you have stable nginx system and know exactly what these do. These are advanced options that can cause difficulties.

7 Likes
17

The overall port config looks fine. You and LE both saw 403 so reached their nginx. The HTTPS requests were failing probably due to nginx not configured to use certs yet (although could be NAT issue hard to say yet). The latest failures were them stopping nginx so normal to see ports "closed".

7 Likes
18

Not sure where you learned to use that, but it doesn't fix anything that's broken.
And as certbot certificates, and the cert history shows, you already had a cert to cover those names.

Step #1: Get the HTTP sites working "normally".
Step #2: Secure the sites using the cert you already have [no need to run certbot anymore]

6 Likes
19

okay
Thanks

1 Like
20

noted
thanks

1 Like