"Invalid response" creating cert - suspect DNS

Sorry complete noob here!

My domain is:latstudios.com.au

I ran this command on my fortigate according to the admin guide Administration Guide | FortiGate / FortiOS 7.2.2 | Fortinet Documentation Library


(Automatically provision Certificate from Fortigate using
certname Latgate27
Domain Latstudios.com.au
email myemail@latstudios.com.au

It produced this output:

2023/01/04 00:09:53 Checking staging area
2023/01/04 00:09:53 Starting challenges for domains
2023/01/04 00:09:42 111.118.220.191: Invalid response from http://latstudios.com.au/.well-known/acme-challenge/DkHP-a3jRKzFRmORL-ZmPERm_d3Vqj8nSkGWtZQJUFo : 404
2023/01/04 00:09:42 Starting challenges for domains: 111.118.220.191: Invalid response from http://latstudios.com.au/.well-known/acme-challenge/DkHP-a3jRKzFRmORL-ZmPERm_d3Vqj8nSkGWtZQJUFo : 404, problem: urn:ietf:params:acme:error:unauthorized
2023/01/04 00:09:41 Starting challenges for domains
2023/01/04 00:09:40 Loaded order from staging
2023/01/04 00:09:38 Selecting account to use for latstudios.com.au
2023/01/04 00:09:38 Driving ACME protocol for renewal of latstudios.com.au
2023/01/04 00:09:38 Contacting ACME server for latstudios.com.au at https://acme-v02.api.letsencrypt.org/directory
2023/01/04 00:09:38 Assessing current status
2023/01/04 00:09:38 Checking staging area
2023/01/04 00:09:38 Retrieving certificate chain for latstudios.com.au
2023/01/04 00:09:32 Unable to retrieve certificate chain.
2023/01/04 00:09:32 Retrieving certificate chain for latstudios.com.au: Unable to retrieve certificate chain.
2023/01/04 00:09:32 Retrieving certificate chain for latstudios.com.au
2023/01/04 00:09:12 Monitoring challenge status for latstudios.com.au
2023/01/04 00:09:11 Setting up challenge 'http-01' for domain latstudios.com.au

My hosting provider, if applicable, is: entitydata.com.au

I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

entitydata hosting in plesk has the following entries:

latstudios.com.au A 111.118.220.191
LatGate27.latstudios.com.au A 203.219.64.58
(is it case sensitive?)

So if I dns resolve latgate27.latstudios.com.au at whatsmydns.net it resolves correctly but not at every nameserver.
DNS Propagation Checker - Global DNS Testing Tool

But it looks like the letsencrypt is referring to the web site address of 111.118 rather than the IP against the latgate27 machine of 203.219....

Thanks in advance!

1 Like

Welcome to the community @Jillofalltrades

Yes, the domain name in your request was for latstudios.com.au and that is the IP and URL that was used for the cert request.

To get a cert for latgate27.latstudios.com.au you should change the domain name field in the request screen. Just having the cert name be latgate27 is not enough.

It looks like your domain latstudios.com.au is using a valid cert issued Dec3. A handy tool to check certs is this SSL Checker (link here)

5 Likes

If that is the correct IP of the gate, then what is in system/settings/ACME interface?
Is this your first attempt at getting an LE cert on a Fortigate?
What version of FortiOS is that?

4 Likes

Hi MikeMcQ and rg305, thanks so much for your responses.

Dug around a bit more and yes we have a lets encrypt cert for *.latstudios.com.au (I thought it was just for the website) so I'll try to use that instead and see if that sorts out the error message.

Cheers,

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.