Issue to get the certificate in linux ubuntu

Help Ayuda (en Español)
1

lms@lms:/etc/nginx/sites-available$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: lms.promecin.com
2: phish.promecin.com
3: phish-admin.promecin.com
4: portainer.promecin.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for lms.promecin.com and 3 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: lms.promecin.com
Type: connection
Detail: 104.236.9.157: Fetching http://lms.promecin.com/.well-known/acme-challenge/Bf37bEbgcjvCSqdGtAKdCftqha0iG5c5gxaZ95WIoE4: Error getting validation data

Domain: phish-admin.promecin.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for phish-admin.promecin.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for phish-admin.promecin.com - check that a DNS record exists for this domain

Domain: phish.promecin.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for phish.promecin.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for phish.promecin.com - check that a DNS record exists for this domain

Domain: portainer.promecin.com
Type: unauthorized
Detail: 52.22.52.79: Invalid response from https://portainer.promecin.com/.well-known/acme-challenge/tOSajpGqsnWnc0u-4MgvyO8hZa6gmi_9IbE4L8bEwcE: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

that the error a got in my bash , in additional i'm no have this route too /etc/letsencrypt/live/ in my certbot version is 2.9.0

and here is the config od each of the domain i did setup

lms.promecin.com

server {
    listen80;
    server_name lms.promecin.com;

        client_max_body_size 100M;

    location / {
        proxy_pass http://127.0.0.1:8080;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_read_timeout 300s;
        proxy_connect_timeout 300s;
    }
}

phish.promecin.com

server {
    listen 443 ssl;
    server_name phish.promecin.com;


    ssl_certificate /etc/letsencrypt/live/promecin.com;
    ssl_certificate_key /etc/letsencrypt/live/promecin.com;

    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://127.0.0.1:3333;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 80;
    server_name phish.promecin.com;
    return 301 https://$host$request_uri;
}

phish-admin.promecin

server {
    listen 443 ssl;
    server_name phish-admin.promecin.com;

    ssl_certificate /etc/letsencrypt/live/://promecin.com;
    ssl_certificate_key /etc/letsencrypt/live/://promecin.com;


    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://127.0.0.1:3334;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 80;
    server_name phish-admin.promecin.com;
    return 301 https://$host$request_uri;
}

portainer.promecin.com

server {
    listen 443 ssl; #
    server_name portainer.promecin.com;

    ssl_certificate /etc/letsencrypt/live/://promecin.com;
    ssl_certificate_key /etc/letsencrypt/live/://promecin.com;


    location / {
        proxy_pass http://127.0.0.1:9000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

server {
    listen 80;
    server_name portainer.promecin.com;
    return 301 https://$host$request_uri;
}

and that's the error could somebody helpme i'm new in this

2

You have a number of problems. But, you could start by fixing your DNS

You use this IP address for your lms domain:

But, phish and phish-admin do not have any A record in the DNS for their IP address. You need to add them to avoid the NXDOMAIN errors.

Your portainer domain uses a different IP in the DNS. I don't know whether this or the one for lms is correct. Only you can know that. But, if you want the same nginx to handle all these domain names these should probably be the same IP.

I see that HTTP replies to portainer show an openresty server possibly related to Kubernetes. Do you know what that is? And, how is it related to your other 3 domains?

2 Likes
3

i only have acces to a vm and inside of that vm i got the bash of linux how can add the ip to the lms domain in the etc/nginx/sites-available/lms.promecin.com file?

4

so you means the ip 127.0.0.1 i got in the lms file change for the ip: 104.236.9.157 ?

5

No, I mean the IP addresses in your public DNS settings. It looks like you are using Route53. Do you recognize that?

2 Likes
6

To be honest, I was just given the structure and told to do this in Linux, and that's what I'm trying to do. When I run sudo nginx -t it tells me the syntax is correct, but when I run sudo certbot --nginx that's when I get the error.

7

when that ip i got here Server: DC02.promecin.com
Address: 172.27.35.54

primary name server = dc02.promecin.com
responsible mail addr = hostmaster.promecin.com
serial = 11501
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour) that de ip i need to change in the file, all the domain show me de same information

8

I think you need to ask that person for more instruction. You have a lot to learn about your system before trying to get a cert.

The authoritative DNS servers for your lms subdomain are using AWS Route53. The IP addresses in Route53 need to be for the public IP for your nginx server.

You cannot reference SSL Certificate file names in nginx that do not exist. It will prevent nginx from starting. And, the format of the file name you used is wrong.

You have not yet explained how portainer and your other domains are related to each other. Portainer is an overall configurator system for containers.

We are not a general purpose help site for setting up servers. We can help you once you have a better understanding of what you are trying to do and have HTTP requests working to your domains

3 Likes
9

there is a way to send you the guide that person sent to me ?

10

to see if you can help me with ?

11

No, I don't offer that kind of assistance. I am a volunteer here as are most of the other helpers here. I am happy to help people who can manage their server and DNS but you don't have that knowledge yet.

Perhaps some other volunteer will help you.

3 Likes
12

Tal vez sería útil informar a la persona que te asignó esta tarea que la configuración actual del servidor no es correcta (al menos en lo que respecta a ser un servidor accesible públicamente desde Internet). Es probable que no sea posible obtener los certificados hasta que el servidor esté configurado correctamente para el acceso público (para cada nombre de dominio que deba figurar en el certificado).

Es posible que anteriormente se utilizara únicamente como servidor de red interna, o simplemente que su configuración estuviera incompleta.

Si hay algunos nombres de dominio que no necesitan aparecer en el certificado, sería posible solicitarlo sin ellos.

Perdón por usar traducción automática; creo que yo podría haber escrito la mayoria del texto anterior sin usarla, pero es tan conveniente... :frowning: