LetsEncrypt Cannot Obtain Certificate


#1

My domain is:
Duckdns.org

I ran this command:
Unraid docker

It produced this output:
Failed authorization procedure. myserver.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://myserver.duckdns.org/.well-known/acme-challenge/BPoI7fI9FIgfwZoIV_JSMFBjr1a8u1K5ATulxHV3gXQ: “<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=“white”>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>”

My web server is (include version):
Not sure

The operating system my web server runs on is (include version):
Linux

My hosting provider, if applicable, is:
duckdns/Dreamhost

I can login to a root shell on my machine (yes or no, or I don’t know):
I believe so

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Unraid docker

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
unsure


#2

It is nearly impossible to provide accurate technical guidance without the real domain name.

So here is my best guess at what I perceive your actual problem might be…

A. The renew command is using --webroot incorrectly.
B. The server uses Apache and has a conflicting/overlapping “domain” that confuses the ACME client on where you actually want the cert installed/validated.
C. The (modified) configuration has mishandled the /.well-known/acme-challenge/ requests - due to conflicting rewrite statements.

Best of luck to you.


#3

This post was flagged by the community and is temporarily hidden.


#4

The real domain name is qrtsy.com
I clicked on letsencrypt and tried certbot cert only and was given a list of things to attempt to connect to, however none of them were duck dns (or maybe I put in my domain name in one of the listed items)?


#5

http://qrtsy.com/
http://www.qrtsy.com/
Both fails with:
HTTP request sent, awaiting response… 500 Internal Server Error
2019-01-23 05:16:10 ERROR 500: Internal Server Error.

Review your web server config files for any errors.
[I would focus on recent changes - assuming this worked previously]


#6

Am I missing something on the domain then? I don’t have a website there, just the domain name. I created CNAMEs for my other domain legendsoflink.com but got the same result.


#7

Hi @Tebasaki

are you the domain owner? There ( https://check-your-website.server-daten.de/?q=legendsoflink.com )

Host T IP-Address is auth. ∑ Queries ∑ Timeout
legendsoflink.com A 208.113.187.211 yes 1 0
AAAA yes
www.legendsoflink.com A 208.113.187.211 yes 1 0
AAAA yes

is no CNAME definition.

Same with your other domain ( https://check-your-website.server-daten.de/?q=qrtsy.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
qrtsy.com A 208.113.184.33 yes 1 0
AAAA yes
www.qrtsy.com A 208.113.184.33 yes 1 0
AAAA yes

#8

Now seen:

Html-Content - Entries (BETA)

Domainname Html-Element name/equiv/ property/rel href/src/content mixed Content
https://legendsoflink.com/
208.113.187.211 a http://wiki.dreamhost.com/Site_not_found 1 no
a http://www.dreamhost.com/ 1 no
a https://panel.dreamhost.com/index.cgi?tree=support.msg 1 no
link stylesheet https://securendn.a.ssl.fastly.net/newpanel/css/singlepage.css 1 no
meta cache-control no-cache 1 no
meta description The owner of this domain has not yet uploaded their website. 1 no

Looks like you have the domain, but dreamhost shows a “not ready” - information.

So where did you defined the CNAME?


#9

I am the domain owner. My CNAME was defined in my DNS settings. I winder if I have to manually refresh the DNS?


#10

These are CNAME entries for the domain names nextcloud.legendsoflink.com etc, not for the domain name.

nextcloud … there I see the CNAME ( https://check-your-website.server-daten.de/?q=nextcloud.legendsoflink.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
nextcloud.legendsoflink.com C healeyservernextcloud.duckdns.org yes 1 0
A 173.21.246.180 yes
www.nextcloud.legendsoflink.com Name Error yes 1 0

And the main configuration is ok.

Domainname Http-Status redirect Sec. G
http://nextcloud.legendsoflink.com/
173.21.246.180 302 http://nextcloud.legendsoflink.com/Main 0.280 D
http://nextcloud.legendsoflink.com/Main 200 0.580 H
https://nextcloud.legendsoflink.com/
173.21.246.180 -2 1.404 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 173.21.246.180:443
http://nextcloud.legendsoflink.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
173.21.246.180 404 0.280 A
Not Found

The http status 404 checking /.well-known/acme-challenge is good.

If you would use Certbot, then you may use the webroot - option.

But I don’t know what Unraid docker is doing.

PS: If you start a client at nextcloud.legendsoflink.com, normally this client doesn’t create a certificate with the duckdns.org - domain name.


#11

So you’re telling me that my domain settings on my webiste are OK, and that I just need to tell letsencrypt to grab a cert?

I clicked on letsencrypt and went to console, then typed certbot certonly and it gave me a list, but I don’t see duck dns on it.


#12

This is the list of your certbot plugins. Not the list of your domains.

Please read

If you want to create a certificate with a domain name, use the -d option. But certbot needs an authenticator you have to select.


#13

It looks like my command will be certbot certonly --webroot -w “/var/www/example” -d server.legendsoflink.com -d nextcloud.legendsoflink.com -d sonarr.legendsoflink.com

but I can’t seem to find the webroot path on my letsencrypt.


#14

It’s not the webroot path of your letsencrypt.

It’s the webroot path of your vHost.

So check your vHost files. Apache - DocumentRoot.

<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName www.example.com

    # Other directives here
</VirtualHost>

DocumentRoot = webroot.


#15

Please not that you are trying to obtain a cert with three names on it.
If those three names are being served from different DocumentRoots you will have to “explain” to cerbot where each name is being served from (i.e. multiple webroots).


#16

I understand that, with the multiple --webroot -w command I’ll need for each cert, but I don’t even know how to check my vhost files.

  1. Click on letsencrypt.
  2. Select console.
  3. Type Apache -DocumentRoot (doesn’t work)
  4. type -DocumentRoot (doesn’t work)

I’ve used Linux maybe 3 times in my life. It’s like explaining to a line chef how to fix a space shuttle; it’s possible, but you have to take baby steps.


#17

Let’s go for 4!

At a # prompt type (you can copy+paste):
grep -Eri 'root|servername|serveralias|virtualh|listen' /etc/apache2

If the prompt does not end in #, then try (as root user) same command but prepend with sudo:
sudo grep -Eri 'root|servername|serveralias|virtualh|listen' /etc/apache2


#18

My terminal from LetsEncrypt ends in $, for my unraid it ends in #. Inputting both commands in both terminals gets me

grep: /etc/apache2: No such file or directory
sh: sudo: not found

So I don’t have Apache installed?


#19

I’m not skilled enough in docker to be sure how to proceed there…

But it should have a web service.
Try:
which apache2
which nginx

[two of the more popular ones]


#20

gets me
/usr/sbin/nginx

so i got that going for me!