Newbie Question

Hello I’m now to LetsEncrypt. I was settign up a Jitsi server for local users to access internally, but I seem to have a issue with the TLS/SSL cert. I can’t apply the cert because its says there is anissue with my DNS/domain. I have created an (A) record as well as updated the IP address from out network host. I can access the site by IP as well as hostname. However I’m promoted with teh security issue.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bauerbuilt.com

I ran this command: sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

It produced this output: Challenge failed for domain jitsi.bauerbuilt.com
http-01 challenge for jitsi.bauerbuilt.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): apache

The operating system my web server runs on is (include version): Ubuntu 18…04

My hosting provider, if applicable, is: Netwrok Solutions

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hello @cj.davis

bauerbuilt.com has a public IP but your subdomain, jitsi.bauerbuilt.com, does not answer.

Log in to Network solutions and add an A record pointing to the same public IP.
Try another request for a new cert.

Come back and give us the results.

Hope this helps!
Rip

Let em try and I’ll post back on the results. I currently have an A record created unless the issue is with the public facing IP address.

The A RR for jitsi.bauerbuilt.com points to 10.10.15.68, which is a private IP address. Let’s Encrypt can’t connect to such addresses obviously, so it cannot verify the validity of your hostname.

If you can’t put a publically available IP address in the A record for jitsi.bauerbuilt.com, in theory you can try and use the dns-01 plugin. However, I have no clue how that can be done using those jitsi scripts.

1 Like

You have a valid point Osiris. I’ve updated the public facing addresses within the DNS server and hosting site. This could take some time to for the change to register. I’ll post an update in a few hours to see if I have different results.

Good catch @Osiris
if there actually is a configured subdomain named jitsy an A record would be required.
Additionally in my past experience there was no “friendly” API for DNS on Network Solutions. That is why I moved all my domains (except one) to another DNS provider.
Rip

So basically Network Solutions could be the root cause? Unfortunately I can’t change the provider without approval of the higher ups.

I just got an update after updating the DNS A record as well as hosting provider (IP removed). Could this issue be caused by the hosting provider A record?

Domain: jitsi.bauerbuilt.com
Type: unauthorized
Detail: Invalid response from
http://jitsi.bauerbuilt.com/.well-known/acme-challenge/yFiPvVgfb483yzU9ywhF3XzrQggIR7QwaDEmqZwSjAE
[public IP]: “\n\n404 Not
Found\n\n

Not Found

\n<p”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

So my question is: Do you have a subdomain named jitsi?
If so it should have the same public IP as your root domain.
;; ANSWER SECTION:
jitsi.bauerbuilt.com. 7200 IN A 10.10.15.68
Is a PRIVATE IP and is not routable on the internet. Wont work.

Rip

@Rip The IP address is now 104.196.144.76.

I’m not sure I follow the latter part. The WHOIS information of the current IP address for your jitsi hostname says it’s hosted on Google Cloud. I’m guessing that’s not the same as Network Solutions?

Did you also move your Jitsi to the new hosting provider?

hasn’t propagated to the west coast yet.
EDIT: Now it has.

I actually updated the IP address to a public facing IP. Unless Network Solutions is hosted through Google Cloud.

“a” public facing IP or “the” public facing IP? The IP address in the A record should be the same as the host you’re running Jitsi on of course.

It seems ns28.worldnic.com isn’t updated yet, only ns27.worldnic.com.

I guess its the waiting game. Its 2020 shouldn’t everything be instant (enter sarcasm)?

No, it’s not. The 404 file not found is not an issue with the private IP address in one of the DNS servers, it’s because the Let’s Encrypt validation server did actually connect to a server, but didn’t find the appropriate file with the token. That’s either a misconfiguration on the server (but you’re using a simple Jitsi script) or the DNS is pointing to the incorrect public IP address.

By the way, when I surf to your jitsi hostname, I’m getting a Plesk “Web Server’s Default Page”. Are you sure your Jitsi environment is compatible with Plesk?

That’s a good question. I don’t know if its compatible. I can ping the IP/hostname internally. However, I’ll probably have to do some digging to see if it is compatible. We don’t use Plesk for anything within our company.

I changed the IP address from our host to the public facing IP and it redirected to the Plesk site. I see this could be headed toward a rabbit hole. I believe the issue could be with the public facing IP address. its managed with a different SSL cert.

It’s also a Let’s Encrypt certificate. How is it generated? You might be able to add the jitsi subdomain to it and copy the certificate and private key securely to your Jitsi instance. However, that process would need to be repeated every 60 days (the recommended interval for certificate renewal) and could be a little bit tricky (but not impossible) to automate.

A better option (in my opinion) would be to modify your main sites webserver configuration to add a reverse proxy for your jitsi subdomain to your specific internal host on which your jitsi software actually runs. That way your Jitsi instance will be publically available, including for Let’s Encrypt. You might want to restrict public access to only the /.well-known/acme-challenge/ path if you only require Let’s Encrypt for public access.

1 Like

This could be the best option. I could go through the setup process and make sure everything is configured correctly the first time. The upside is it doesn’t take long to setup the server with Jitsi.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.