Thank you! I am here to ask for help.
I used a digital certificate for the first time, and now I have a problem and I don’t know how to solve it.
I registered two domain names, zen01.newnet.cf, zen02.newnet.cf, which are resolved to two IP addresses: 114.115.136.61 and 114.116.69.45. They are two cloud servers located in mainland China. The server does not open http. service.
I use the following command to get the certificate:
And on September 16th, the certificate has been successfully obtained. But then getting the certificate for ‘zen02.newnet.cf’ always fails. Even if the domain name is resolved to a server that has already succeeded, it fails. See the the error message:
zenops@zen02:~$ sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d zen02.newnet.cf
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for zen.newnet.cf
Waiting for verification…
Exception happened during processing of request from (’::ffff:66.133.109.36’, 53236, 0, 0)
Traceback (most recent call last):
File “/usr/lib/python3.5/socketserver.py”, line 313, in _handle_request_noblock
self.process_request(request, client_address)
File “/usr/lib/python3.5/socketserver.py”, line 341, in process_request
self.finish_request(request, client_address)
File “/usr/lib/python3.5/socketserver.py”, line 354, in finish_request
self.RequestHandlerClass(request, client_address, self)
File “/usr/lib/python3/dist-packages/acme/standalone.py”, line 206, in init
BaseHTTPServer.BaseHTTPRequestHandler.init(self, *args, **kwargs)
File “/usr/lib/python3.5/socketserver.py”, line 681, in init
self.handle()
File “/usr/lib/python3/dist-packages/acme/standalone.py”, line 215, in handle
BaseHTTPServer.BaseHTTPRequestHandler.handle(self)
File “/usr/lib/python3.5/http/server.py”, line 422, in handle
self.handle_one_request()
File “/usr/lib/python3.5/http/server.py”, line 410, in handle_one_request
method()
File “/usr/lib/python3/dist-packages/acme/standalone.py”, line 221, in do_GET
self.handle_simple_http_resource()
File “/usr/lib/python3/dist-packages/acme/standalone.py”, line 246, in handle_simple_http_resource
self.end_headers()
File “/usr/lib/python3.5/http/server.py”, line 524, in end_headers
self.flush_headers()
File “/usr/lib/python3.5/http/server.py”, line 528, in flush_headers
self.wfile.write(b"".join(self._headers_buffer))
File “/usr/lib/python3.5/socket.py”, line 593, in write
return self._sock.send(b)
ConnectionResetError: [Errno 104] Connection reset by peer
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
There is an ambiguity about whether @weixw meant that the server doesn't normally listen on port 80, or that the server isn't allowed to listen on port 80. In the first case, that isn't a problem because --standalone will listen on port 80 for you. In the second case, it is a problem because the inbound connections on port 80 from the CA won't succeed.
Some Chinese ISPs restrict inbound connections on web ports by default because of government licensing regulations about the ability to run web sites. If this is so and your use of port 80 is being restricted, then @JuergenAuer's reply is exactly right. You would have to use the DNS challenge method instead.
Thank you for your answer!
Yes, the server does not have an http (apache) daemon, but the server firewall allows access to port 80.
I will change the domain name and try again.
Yes, the same operation.
I guess, it may be that the service provider prohibits access to all unfiled domains.
However, the successful one may be that the service provider fell asleep for a little while.
After the Mid-Autumn Festival, I will ask the service provider.
Because, when I installed Apache, the results of the visit are as follows:
Sorry, this site is temporarily unavailable and may be caused by the following reasons:
Reason one
Your website has not been filed. According to the “Administrative Measures for the Recording of Non-Operating Internet Information Services”, the website needs to be archived and accessed. The Ministry of Industry and Information Technology records the enquiry point to enter.
Reason two
The content of the website does not match the filing information or the filing information is inaccurate; according to the “Administrative Measures for the Recording of Non-operating Internet Information Services”, the content of the website needs to be consistent with the filing information, and the filing information needs to be true and effective. It is recommended that the webmaster modify the website information as soon as possible.
This page is the default prompt page. If the above problems exist on the website, please handle it in time. Please contact your service provider for website registration.
So if this is a public website, you have to fulfill these requirements.
However, you can still get a certificate from Let’s Encrypt without registering with the government: you can use the DNS-01 challenge method, which involved creating DNS TXT records instead of creating a file on your web site. Ideally, your DNS provider would support an API which lets your client application create these records from software.
I guess it will be difficult to subsequently host the web site within China without complying with the registration law.
Thank you!
How to do it? For example, how to install dns plugin using ‘certbot-dns-cloudxns’? Need to install docker first? It feels a bit complicated.
Right now only some methods of installing Certbot include DNS plugins. If yours doesn’t, you can use the Docker method or you can try using acme.sh instead of Certbot.
@schoen@JuergenAuer the issue is… China blocks almost every site that’s hosted on mainland server (without a proper ICP license), the OP currently does not have a ICP license for his domain name… and indeed the site was blocked (and replaced with the default ugly error page)
