Installing certificate error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cxchatbot.basf.host

I ran this command: sudo certbot --nginx

It produced this output: Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cxchatbot.basf.host
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. cxchatbot.basf.host (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2a02:4780:8:324:0:1d49:de64:1: Invalid response from http://cxchatbot.basf.host/.well-known/acme-challenge/7IXhrlImKG9gtzHicG5wSwStoYrDDM7OjuVJhWKIneE: 404

IMPORTANT NOTES:

My web server is (include version):
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Welcome to the community @Rishabhh17

Your DNS has both A and AAAA records. Let's Encrypt will use the AAAA record for IPv6 if present. You can see the IPv6 address in your error message 2a02:4780:8:324:0:1d49:de64:1

I get different responses from both IPv4 and IPv6 address. You should ensure they both point to the right server. If your IPv6 address is correct we need to explore why you got a 404 error. So, let us know how you resolved your DNS records.

curl -I4  cxchatbot.basf.host  (uses IPv4 address)
curl: (7) Failed to connect to cxchatbot.basf.host port 80 after 12 ms: Connection refused

curl -I6  cxchatbot.basf.host   (uses IPv6)
HTTP/1.1 403 Forbidden
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
date: Mon, 01 Aug 2022 13:21:24 GMT
server: LiteSpeed
5 Likes

Furthermore:

Doesn't match:
server: LiteSpeed

5 Likes

This the command that is recommended in my application's ssl Installation. So I did this before and It worked but now it is not working. Now when I am trying this command it is showing above error.

Being at the beginning.

Are the IPs correct?:

Name:      cxchatbot.basf.host
Addresses: 2a02:4780:8:324:0:1d49:de64:1
           3.14.157.185

You must have a working HTTP site before you can use HTTP authentication to validate.
Also note: LE will prefer IPv6 over IPv4 [when present].

2 Likes

@rg305 @MikeMcQ Initially I have used the application Documentation and there they have mentioned the commands for the SSl using certbot, then after 90 days my SSL expired so I was trying to reinstall the certificate so remove the nginx as well as certbot and started the fresh installation. But now it is showing the above error. Yes The IP is correct.

These are the commands :
image

From your server, can you show the results of these commands:

curl -4 http://ifconfig.co
curl -6 http://ifconfig.co
3 Likes

@MikeMcQ When I run curl -4 it is showing the IP, But when I run Curl -6 It is showing ubuntu@cxchatbot:~$ curl -6 http://ifconfig.co
curl: (7) Couldn't connect to server

What IP value does it show?

And, the failure for IPv6 shows that is not working. You should remove the AAAA address from your DNS. That did not look like your server anyway as a litespeed server was responding on that address which is closer to Apache than nginx.

That is one problem.

Another is you do not have port 80 open to your IPv4 address. Are you running in an AWS EC2 instance? Because that is where your IPv4 address points to. If so, you need to update your EC2 Security Group to allow port 80 and 443.

3 Likes

@MikeMcQ Yes EC2 am using and All the ports are open. Previously it was working fine. What I did is just doing the fresh installation of Certbot. To install a new cetificate. Because early one was expired for this domain.

What is the value shown from this command?

3 Likes

@MikeMcQ The IP of my EC2 Instance.

Would you please confirm the value. Because the IP in your public DNS does not have the needed ports open.

If you don't have an Elastic IP AWS may assign a new IP address if you restart your EC2 instance. I am trying to help you but it is difficult as your descriptions don't match what I see from the public internet.

nmap cxchatbot.basf.host

rDNS record for 3.14.157.185: ec2-3-14-157-185.us-east-2.compute.amazonaws.com
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
4000/tcp open  remoteanything
5432/tcp open  postgresql

I see you still have not removed the AAAA address. You should do that.

3 Likes

It is showing the IP: 3.14.157.185

All the ports are open. I am doing the same thing as done before but this time I am getting these errors.

What does this mean @MikeMcQ :
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cxchatbot.basf.host
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. cxchatbot.basf.host (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2a02:4780:8:324:0:1d49:de64:1: Invalid response from http://cxchatbot.basf.host/.well-known/acme-challenge/X1Pb8L29Zp0x41ahWR-xy5HBlqSHBDyshR_CkBedyMw: 404

IMPORTANT NOTES:

Thanks for showing the IPv4 address.

I see some improvement. Since this latest error you have removed the AAAA record. And, port 443 is now open. But, port 80 remains closed.

If you tried the certbot command now you would see a timeout connection error. You can see the Let's Debug test site to see what I see.

You should do for port 80 whatever you did to open port 443. Then try again and show any error.

3 Likes