Namecheap with ddns mirror failing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: puddle.zone and mirror puddlezone.ddns.net

I ran this command: sudo certbot certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): puddle.zone puddlezone.ddns.net

---

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/puddle.zone.conf)

It contains these names: puddle.zone

You requested these names for the new certificate: puddle.zone,
puddlezone.ddns.net.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for puddle.zone
http-01 challenge for puddlezone.ddns.net

Select the webroot for puddle.zone:

1: Enter a new webroot

Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for puddle.zone: (Enter 'c' to cancel): /var/www/

Select the webroot for puddlezone.ddns.net:

1: Enter a new webroot
2: /var/www

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /var/www/.well-known/acme-challenge
Failed authorization procedure. puddlezone.ddns.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.puddle.zone/.well-known/acme-challenge/EzBc-MAIMNg9kY0qY4i9OG50byWgZ8kR3DU3hmNePzQ: Error getting validation data

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: puddlezone.ddns.net
  Type: connection
  Detail: Fetching
  https://www.puddle.zone/.well-known/acme-challenge/EzBc-MAIMNg9kY0qY4i9OG50byWgZ8kR3DU3hmNePzQ:
  Error getting validation data

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

My web server is (include version): Apache 2.4.27 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu Server 17.10 (Artful)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

I've had puddle.zone set up with a cert, but due to timeout issues (likely associated with namecheap) I created a mirror dns record as puddlezone.ddns.net. Both addresses point to the same IP, and work, but the ddns one give an invalid cert (because only one domain has a cert at this time). Port 80 is blocked both by our firewall and by apache's firewall (it's supposed to be configured to force everything to https). I'm not using the apache validation method because it seems that's not compatable with ddns. For that, when I ran the command but chose apache instead of webroot, I got the following error

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for puddle.zone
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Hi,

This is because you have two IPs in puddle.zone. (One is a Comcast IP, likely Comcast Xfinity. The other one is Namecheap Server)

If your port 80 is blocked, then you'll need to use DNS validation (since certbot has disabled TLS-SNI-01 for good). Now they only have http-01 (which connect to port 80 and allow redirection ) or dns-01 (validate using DNS txt records)

I don't really get it why it's redirecting to your www.puddle.zone.

This is because tls-sni is disabled. So you can't get a cert using this method.

TL.Dr
1.You'll need to remove the Namecheap IP from your puddle.zone to avoid errors. (Like connection timeout)
2.since port 80 is blocked, you can only use DNS validation.
3. Your ddns domain is redirecting to www.puddle.zone which you haven't setup yet, I personally suggest you to set the www version up. (Just avoid things like this)

Also if you remove the Namecheap IP from your zone domain, the timeout issue shouldn't appear.

Thank you

Might be a bit of a delay while I poke at this. the namecheap stuff was set up by my roomate, so I don’t have direct access nor am I familiar with the interface. That may also address the www.puddle.zone issue as well, and if the connection timeout is itself fixed, then I really have no need for the ddns option at all

Seems that was the core problem. The Namecheap IP was set up to force http requests to https, and when I removed that entry, everything worked on https. I did have to add port forwarding on my firewall to send port 80 to the server, but I had already configured the server to force everything to https, so people that have checked for me reported it seems to be working. That said, I won't worry about ddns at all, so I'm calling this solved. Thanks a bunch!

Glad it worked!

Thank you

I went ahead and did the port forwarding for 80, and had some new people visit it to test. The only thing that’s not working is the www, but i’ll poke that one later when I’m ready

Yeah…

(Actually adding that is relatively easy)

Just go to Namecheap to add wee and point to the same domain

Go to your server, on server names(in vHost) add the www version.

Using certbot to expand the certificate with the www version.

P.S. you might want to use a update dns record script and set it to execute one per 3/4 days. (Since Comcast IP usually aren’t static and subject to change without notice)

Thank you

We do have an update script running that monitors for changed ip’s, but ours seems relatively stable at least. The rest of it I’ll probably explore a little later down the road. I have to rebuild the entire server in a couple months anyway since I didn’t grab an LTS version of Ubuntu when I built is (clicked the wrong thing)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.