Newby: Keep getting SSL Error: Web-based validation failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dimplemotors.com

I ran this command: I use Virtualmin for hosting and migrated this domain from another hosting, The SSL was working fine and after a few days it stopped so I tried to get a LetsEncrypt certificate

It produced this output:
Web-based validation failed

My web server is (include version):

The operating system my web server runs on is (include version): CentOS Linux 7.8.2003

I am a newbie and so please explain as simply as you can - Thanks
I got the error as below:

Request Certificate
In domain dimplemotors.com
Requesting a certificate for dimplemotors.com from Let's Encrypt ..
.. request failed : Web-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dimplemotors.com
Using the webroot path /home/dimplemo/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain dimplemotors.com
http-01 challenge for dimplemotors.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

, DNS-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for dimplemotors.com
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification...
Challenge failed for domain dimplemotors.com
dns-01 challenge for dimplemotors.com
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: dimplemotors.com
    Type: unauthorized
    Detail: No TXT record found at _acme-challenge.dimplemotors.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

    Dashboard
    Favorites
    Notifications

CPU load: 17% (0.15 (1 min) 0.14 (5 mins) 0.16 (15 mins))

Real memory: 9% ( 1.29 GiB used / 1.62 GiB cached / 15.51 GiB total )

Local disk space: 9% ( 36.2 GiB used / 357.37 GiB free / 393.57 GiB total )

System hostname
vmi431722.contaboserver.net (5.189.166.189) Operating system
CentOS Linux 7.8.2003 Time on system
Friday, October 30, 2020 5:56 PM Kernel and CPU
Linux 3.10.0-1127.19.1.el7.x86_64 on x86_64 System uptime
54 days, 8 hours, 37 minutes Running processes
157 Package updates
All installed packages are up to date
Disk usage +
Servers status +
Disk quotas +
Software versions +
Recent logins +

Please help
Thanks
Regards
ASM

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Sorry for the delay in response to your topic. Not much help around today.

Let's see... :thinking:


Apache answers

assuming certbot from output

301 redirect missing from https://dimplemotors.com to https://www.dimplemotors.com (or vice versa)


tested: http://dimplemotors.com/.well-known/acme-challenge/test

:heavy_check_mark: genuine 404 received from Apache over http with no redirect

Wrong webroot path, perhaps?


Wrong DNS record found via Dig: _acme-challenge.dimplemotors.com. 21599 IN A 5.189.166.189

You don't need an _acme-challenge A record.

You need two TXT records that look like this (TTL irrelevant):

_acme-challenge.dimplemotors.com. 299 IN TXT "nonce token from certbot"

_acme-challenge.www.dimplemotors.com. 299 IN TXT "nonce token from certbot"

The two nonce tokens from certbot will be different and specific to the host (i.e. one for dimplemotors.com and another for www.dimplemotors.com).

If you try to create a first-level subdomain wildcard (*.dimplemotors.com), your TXT record will look like this (TTL irrelevant):

_acme-challenge.dimplemotors.com. 299 IN TXT "nonce token from certbot"

Yes, it is the same host as the TXT record for dimplemotors.com, just with a different nonce token from certbot.

This problem means that /etc/webmin/webmin/letsencrypt-dns.pl has incorrect instructions.

This problem also means that /etc/webmin/webmin/letsencrypt-cleanup.pl probably has incorrect instructions.


You do NOT need to use both http-01 and dns-01 challenges. One or the other will do nicely.


Complete Certificate History


Looks like you were using cPanel SSL/TLS certificate manager.


Please make a detailed list of all of the subdomains you want to certify so that we can help you make sure they all get included.

1 Like

I put the two txt records in and tried again but got no SSL
tried after half an hour with only dimplemotors.com NOT www. got message below:

Request Certificate
In domain dimplemotors.com
Requesting a certificate for dimplemotors.com from Let's Encrypt ..
.. request failed : Web-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dimplemotors.com
Using the webroot path /home/dimplemo/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain dimplemotors.com
http-01 challenge for dimplemotors.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

, DNS-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for dimplemotors.com
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification...
Challenge failed for domain dimplemotors.com
dns-01 challenge for dimplemotors.com
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: dimplemotors.com
    Type: unauthorized
    Detail: No TXT record found at _acme-challenge.dimplemotors.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

    Dashboard
    Favorites
    Notifications

CPU load: 2% (0.28 (1 min) 0.33 (5 mins) 0.34 (15 mins))

Real memory: 10% ( 1.51 GiB used / 2.05 GiB cached / 15.51 GiB total )

Local disk space: 9% ( 36.22 GiB used / 357.35 GiB free / 393.57 GiB total )

System hostname
vmi431722.contaboserver.net (5.189.166.189) Operating system
CentOS Linux 7.8.2003 Time on system
Saturday, October 31, 2020 3:45 PM Kernel and CPU
Linux 3.10.0-1127.19.1.el7.x86_64 on x86_64 System uptime
55 days, 6 hours, 24 minutes Running processes
170 Package updates
All installed packages are up to date
Disk usage +
Servers status +
Disk quotas +
Software versions +
Recent logins +

THEN I tried again with and without the www. (3rd time today - got msg saying tried too many times as belw)...

Request Certificate

Requesting a certificate for dimplemotors.com, www.dimplemotors.com from Let's Encrypt ..
.. request failed : Web-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for dimplemotors.com http-01 challenge for www.dimplemotors.com Using the webroot path /home/dimplemo/public_html for all unmatched domains. Waiting for verification... Challenge failed for domain dimplemotors.com Challenge failed for domain www.dimplemotors.com http-01 challenge for dimplemotors.com http-01 challenge for www.dimplemotors.com Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: dimplemotors.com Type: unauthorized Detail: Invalid response from http://dimplemotors.com/.well-known/acme-challenge/Lij4jI_idIXAlhXEoYKvTXQXxVtLkKRDXPKrqXcxQos [5.189.166.189]: "\n\n404 Not Found\n\n

Not Found

\n<p" Domain: www.dimplemotors.com Type: unauthorized Detail: Invalid response from http://www.dimplemotors.com/.well-known/acme-challenge/TM1Aczl0Lz5aAUrexi_zUhjJl-wFpZ73gVFMJpDLLj0 [5.189.166.189]: "\n\n404 Not Found\n\n

Not Found

\n<p" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

, DNS-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate An unexpected error occurred: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/ Please see the logfiles in /var/log/letsencrypt for more details.

CPU load: 2% (0.30 (1 min) 0.35 (5 mins) 0.35 (15 mins))

Real memory: 10% ( 1.49 GiB used / 2.06 GiB cached / 15.51 GiB total )

Local disk space: 9% ( 36.22 GiB used / 357.34 GiB free / 393.57 GiB total )

System hostname
vmi431722.contaboserver.net (5.189.166.189) Operating system
CentOS Linux 7.8.2003 Time on system
Saturday, October 31, 2020 3:54 PM Kernel and CPU
Linux 3.10.0-1127.19.1.el7.x86_64 on x86_64 System uptime
55 days, 6 hours, 34 minutes Running processes
170 Package updates
All installed packages are up to date

Disk usage +

Servers status +

Disk quotas +

Software versions +

Recent logins +

Grrr... wish these were easier to read and understand for a lay person....
Please help the txt records are inserted but still did not get the SSL

Thanks
Regards
ASM

1 Like

Where did you put these two TXT records? :man_shrugging: I still only see the _acme-challenge A record that shouldn't be there. If you check with Dig after adding (or removing) records, you should see the results. If you don't, either the records are being changed in the wrong place or there's a problem with the DNS zone.

I've put it in TXT recrods both in the Hosting and in the Domain Registrar as they are both in different places see pics below

DIG Looks as below:

1 Like

IN HOSTING AS BELOW:

1 Like

IN DOMAIN REGISTRAR AS BELOW:
Dimplemotors Domain DNS

1 Like

I need SSL for all three as they all point to the same .com domain
Main Domain:
dimplemotors.com
Sub Domains:
dimplemotors.co.uk
dimpleselfdrive.com

But thought i'd get the dimplemotors.com first then try the others
Please help
Thanks

1 Like

The Record names in your hosting need to be _acme-challenge.dimplemotors.com and _acme-challenge.www.dimplemotors.com with their values being huge, random strings of characters coming from certbot/letsencrypt. You could instead put these in your domain registrar with the Names being _acme-challenge.dimplemotors.com and _acme-challenge.www.dimplemotors.com with the values being as just described.

You need to delete the A record (not TXT record) with Name of _acme-challenge.dimplemotors.com in your domain registrar.


These are not subdomains. They are separate apex domains. A subdomain exists below an apex domain. For example, www.dimplemotors.co.uk refers to the www subdomain of the dimplemotors.co.uk apex domain. Unless you want to maintain three separate domain names all referring to the same content (and hopefully have all of your internal links and resources be relative, such that they don't specify the domain name in the link or resource in the code), you should probably consider 301 redirecting two of the domain names to the remaining domain name.

Since all three domain names are hosted on the same server, you should just create one certificate containing all three apex domains and www subdomains. You should even throw in the other subdomains (like ftp, m, and admin). Do not, I repeat, do not try to include the localhost subdomain. Let's Encrypt cannot certify it because it points to a private IP address (loopback 127.0.0.1).

Also, delete the dimplemotors nonsensical subdomain (i.e. it is the dimplemotors subdomain of apex domain dimplemotors.com):

dimplemotors.dimplemotors.com. 21599 IN A 5.189.166.189

This is an A record with Name dimplemotors in your domain registrar.

2 Likes