Hello I’m now to LetsEncrypt. I was settign up a Jitsi server for local users to access internally, but I seem to have a issue with the TLS/SSL cert. I can’t apply the cert because its says there is anissue with my DNS/domain. I have created an (A) record as well as updated the IP address from out network host. I can access the site by IP as well as hostname. However I’m promoted with teh security issue.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
It produced this output: Challenge failed for domain jitsi.bauerbuilt.com
http-01 challenge for jitsi.bauerbuilt.com
Cleaning up challenges
Some challenges have failed.
The A RR for jitsi.bauerbuilt.com points to 10.10.15.68, which is a private IP address. Let's Encrypt can't connect to such addresses obviously, so it cannot verify the validity of your hostname.
If you can't put a publically available IP address in the A record for jitsi.bauerbuilt.com, in theory you can try and use the dns-01 plugin. However, I have no clue how that can be done using those jitsi scripts.
You have a valid point Osiris. I’ve updated the public facing addresses within the DNS server and hosting site. This could take some time to for the change to register. I’ll post an update in a few hours to see if I have different results.
Good catch @Osiris
if there actually is a configured subdomain named jitsy an A record would be required.
Additionally in my past experience there was no “friendly” API for DNS on Network Solutions. That is why I moved all my domains (except one) to another DNS provider.
Rip
I just got an update after updating the DNS A record as well as hosting provider (IP removed). Could this issue be caused by the hosting provider A record?
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
So my question is: Do you have a subdomain named jitsi?
If so it should have the same public IP as your root domain.
;; ANSWER SECTION: jitsi.bauerbuilt.com. 7200 IN A 10.10.15.68
Is a PRIVATE IP and is not routable on the internet. Wont work.
I'm not sure I follow the latter part. The WHOIS information of the current IP address for your jitsi hostname says it's hosted on Google Cloud. I'm guessing that's not the same as Network Solutions?
Did you also move your Jitsi to the new hosting provider?
No, it's not. The 404 file not found is not an issue with the private IP address in one of the DNS servers, it's because the Let's Encrypt validation server did actually connect to a server, but didn't find the appropriate file with the token. That's either a misconfiguration on the server (but you're using a simple Jitsi script) or the DNS is pointing to the incorrect public IP address.
By the way, when I surf to your jitsi hostname, I'm getting a Plesk "Web Server's Default Page". Are you sure your Jitsi environment is compatible with Plesk?
That’s a good question. I don’t know if its compatible. I can ping the IP/hostname internally. However, I’ll probably have to do some digging to see if it is compatible. We don’t use Plesk for anything within our company.
I changed the IP address from our host to the public facing IP and it redirected to the Plesk site. I see this could be headed toward a rabbit hole. I believe the issue could be with the public facing IP address. its managed with a different SSL cert.
It's also a Let's Encrypt certificate. How is it generated? You might be able to add the jitsi subdomain to it and copy the certificate and private key securely to your Jitsi instance. However, that process would need to be repeated every 60 days (the recommended interval for certificate renewal) and could be a little bit tricky (but not impossible) to automate.
A better option (in my opinion) would be to modify your main sites webserver configuration to add a reverse proxy for your jitsi subdomain to your specific internal host on which your jitsi software actually runs. That way your Jitsi instance will be publically available, including for Let's Encrypt. You might want to restrict public access to only the /.well-known/acme-challenge/ path if you only require Let's Encrypt for public access.
This could be the best option. I could go through the setup process and make sure everything is configured correctly the first time. The upside is it doesn’t take long to setup the server with Jitsi.