Letsencryp is pointing to http instead of https


#1

16-06-2016 14:20:54.323: [LE /lib/core.js] retrieve from domainKeyPath NOT IMPLEMENTED (please file an issue to remind me about this)
16-06-2016 14:20:56.060: [DEBUG le/lib/core.js] registeryAsync err
16-06-2016 14:20:56.060: Error: The CA was unable to validate the file you provisioned.

Could not connect to http://cloudservices-hidglobal.com/.well-known/acme-challenge/_s5T5wD--ouUZUnFKURqAFzK0B1c7SsoTdciHyCkOfQ


#2

… which makes sense, because if you don’t have a certificate yet or the one you had has expired, it wouldn’t be possible to connect.


#3

How do I ensure certificate is there or not?


#4

You can get a certificate by connecting to http for verification.

I don’t get a response from your server though …

$ curl -I cloudservices-hidglobal.com
curl: (52) Empty reply from server

#5

Would you recommend to refer a document to follow?


#6

It is not, as it could not validate your domain.

You should probably look at getting the server to provide valid responses first. At the moment no page loads on your site, so getting LE to work is going to be difficult. Once you can load a page you should be fine.

Try putting a test text file in the .well-known/acme-challenge/ folder and seeing if you can load that. Once you can, you should be able to get the script to work.


#7

I am deploying it in AWS EC2 instance & http, 8080 port is not allowed.


#8

Here is my code:

var createServer = require(“auto-sni”);

ar tls = {
key : fs.readFileSync(’./…/…/Dev-SSL/testkey.pem’),
cert : fs.readFileSync(’./…/…/Dev-SSL/testcert.pem’)
};

var secureServer = createServer({
email: "mgorai@hidglobal.com", // Emailed when certificates expire.
agreeTos: true, // Required for letsencrypt.
debug: true, // Add console messages and uses staging LetsEncrypt server. (Disable in production)
domains: [“cloudservices-hidglobal.com”, [“cloudservices-hidglobal.com”]], // List of accepted domain names. (You can use nested arrays to register bundles with LE).
forceSSL: true, // Make this false to disable auto http->https redirects (default true).
ports: {
http:8080,
https: 3000 // // Optionally override the default https port.
}
});

var manifest = {
//$meta: ‘This file defines the SIS Helpdesk PoC web server.’,
server: {
connections: {
router: {
isCaseSensitive: false,
stripTrailingSlash: true
}
}

},
connections: [

{

		tls:true,
		autoListen:false,
		listener:secureServer
    }

],


#9

If this is the case, then you will probably need to create the certs manually:

http://letsencrypt.readthedocs.io/en/latest/using.html#manual

Using Webroot or standalone would require port 80 or 443 to be accessible…

:smiley:


#10

Or use the DNS-01 challenge (supported by a number of the alternate clients )


#11

When I try manually I get following error which is reasonable because EC2 instance is accessible through https only. What I need to do?

  • The following errors were reported by the server:

    Domain: cloudservices-hidglobal.com
    Type: connection
    Detail: Could not connect to
    http://cloudservices-hidglobal.com/.well-known/acme-challenge/jHfDBn-9Mt7_xzdWxk1mOzKN7OkHr8A6IrSdUvR-snY

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#12

Not sure why you mention port 8080 (could be a typo), but unless you are explicitly restricted in terms of access and can’t use management console, you can make any port available on your EC2 instance by configuring Security Groups.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html


#13

If you can’t/won’t allow traffic on port 80, you will not be able to use the HTTP-01 challenge type. You would need to use a different challenge type, such as TLS-SNI-01, which works on port 443, or DNS-01, which works using DNS TXT records. Based on this, it looks like your client does not support any challenge types other than HTTP-01, so if you want to keep port 80 closed, you’ll need to use one of the other clients.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.