Newbie Question

cj.davis · July 23, 2020, 1:58pm

Hello I’m now to LetsEncrypt. I was settign up a Jitsi server for local users to access internally, but I seem to have a issue with the TLS/SSL cert. I can’t apply the cert because its says there is anissue with my DNS/domain. I have created an (A) record as well as updated the IP address from out network host. I can access the site by IP as well as hostname. However I’m promoted with teh security issue.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bauerbuilt.com

I ran this command: sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

It produced this output: Challenge failed for domain jitsi.bauerbuilt.com
http-01 challenge for jitsi.bauerbuilt.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: jitsi.bauerbuilt.com
Type: dns
Detail: No valid IP addresses found for jitsi.bauerbuilt.com

My web server is (include version): apache

The operating system my web server runs on is (include version): Ubuntu 18…04

My hosting provider, if applicable, is: Netwrok Solutions

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Rip · July 23, 2020, 2:27pm

Hello @cj.davis

bauerbuilt.com has a public IP but your subdomain, jitsi.bauerbuilt.com, does not answer.

Log in to Network solutions and add an A record pointing to the same public IP.
Try another request for a new cert.

Come back and give us the results.

Hope this helps!
Rip

cj.davis · July 23, 2020, 2:37pm

Let em try and I’ll post back on the results. I currently have an A record created unless the issue is with the public facing IP address.

Osiris · July 23, 2020, 2:43pm

The A RR for jitsi.bauerbuilt.com points to 10.10.15.68, which is a private IP address. Let's Encrypt can't connect to such addresses obviously, so it cannot verify the validity of your hostname.

If you can't put a publically available IP address in the A record for jitsi.bauerbuilt.com, in theory you can try and use the dns-01 plugin. However, I have no clue how that can be done using those jitsi scripts.

cj.davis · July 23, 2020, 2:53pm

You have a valid point Osiris. I’ve updated the public facing addresses within the DNS server and hosting site. This could take some time to for the change to register. I’ll post an update in a few hours to see if I have different results.

Rip · July 23, 2020, 2:56pm

Good catch @Osiris
if there actually is a configured subdomain named jitsy an A record would be required.
Additionally in my past experience there was no “friendly” API for DNS on Network Solutions. That is why I moved all my domains (except one) to another DNS provider.
Rip

cj.davis · July 23, 2020, 3:00pm

So basically Network Solutions could be the root cause? Unfortunately I can’t change the provider without approval of the higher ups.

cj.davis · July 23, 2020, 3:06pm

I just got an update after updating the DNS A record as well as hosting provider (IP removed). Could this issue be caused by the hosting provider A record?

Domain: jitsi.bauerbuilt.com
Type: unauthorized
Detail: Invalid response from
http://jitsi.bauerbuilt.com/.well-known/acme-challenge/yFiPvVgfb483yzU9ywhF3XzrQggIR7QwaDEmqZwSjAE
[public IP]: “\n\n404 Not
Found\n\n

Not Found

\n<p”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

Rip · July 23, 2020, 3:09pm

So my question is: Do you have a subdomain named jitsi?
If so it should have the same public IP as your root domain.
;; ANSWER SECTION:
jitsi.bauerbuilt.com. 7200 IN A 10.10.15.68
Is a PRIVATE IP and is not routable on the internet. Wont work.

Rip

Osiris · July 23, 2020, 3:12pm

@Rip The IP address is now 104.196.144.76.

I'm not sure I follow the latter part. The WHOIS information of the current IP address for your jitsi hostname says it's hosted on Google Cloud. I'm guessing that's not the same as Network Solutions?

Did you also move your Jitsi to the new hosting provider?

Rip · July 23, 2020, 3:14pm

hasn’t propagated to the west coast yet.
EDIT: Now it has.

cj.davis · July 23, 2020, 3:14pm

I actually updated the IP address to a public facing IP. Unless Network Solutions is hosted through Google Cloud.

Osiris · July 23, 2020, 3:22pm

"a" public facing IP or "the" public facing IP? The IP address in the A record should be the same as the host you're running Jitsi on of course.

It seems ns28.worldnic.com isn't updated yet, only ns27.worldnic.com.

cj.davis · July 23, 2020, 3:25pm

I guess its the waiting game. Its 2020 shouldn’t everything be instant (enter sarcasm)?

Osiris · July 23, 2020, 3:27pm

No, it's not. The 404 file not found is not an issue with the private IP address in one of the DNS servers, it's because the Let's Encrypt validation server did actually connect to a server, but didn't find the appropriate file with the token. That's either a misconfiguration on the server (but you're using a simple Jitsi script) or the DNS is pointing to the incorrect public IP address.

By the way, when I surf to your jitsi hostname, I'm getting a Plesk "Web Server's Default Page". Are you sure your Jitsi environment is compatible with Plesk?

cj.davis · July 23, 2020, 4:12pm

That’s a good question. I don’t know if its compatible. I can ping the IP/hostname internally. However, I’ll probably have to do some digging to see if it is compatible. We don’t use Plesk for anything within our company.

cj.davis · July 23, 2020, 4:16pm

I changed the IP address from our host to the public facing IP and it redirected to the Plesk site. I see this could be headed toward a rabbit hole. I believe the issue could be with the public facing IP address. its managed with a different SSL cert.

Osiris · July 23, 2020, 4:36pm

It's also a Let's Encrypt certificate. How is it generated? You might be able to add the jitsi subdomain to it and copy the certificate and private key securely to your Jitsi instance. However, that process would need to be repeated every 60 days (the recommended interval for certificate renewal) and could be a little bit tricky (but not impossible) to automate.

A better option (in my opinion) would be to modify your main sites webserver configuration to add a reverse proxy for your jitsi subdomain to your specific internal host on which your jitsi software actually runs. That way your Jitsi instance will be publically available, including for Let's Encrypt. You might want to restrict public access to only the /.well-known/acme-challenge/ path if you only require Let's Encrypt for public access.

cj.davis · July 23, 2020, 4:50pm

This could be the best option. I could go through the setup process and make sure everything is configured correctly the first time. The upside is it doesn’t take long to setup the server with Jitsi.

system · August 22, 2020, 4:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Challenge failed for domain Help	11	5839	July 15, 2020
404 Error LetsEncrypt Help	7	1302	June 2, 2020
Take the certifikate Help	4	412	August 27, 2023
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details Help	5	841	January 11, 2024
Jitsi container fails to obtain certificate from CA Help	2	29	December 21, 2024

Newbie Question

Not Found

Related topics