No certificate file is being generated

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ehr-crm.com

I ran this command: .getssl ehr-crm.com

It produced this output: see attached

My web server is (include version):

The operating system my web server runs on is (include version):
oracle linux 8.3
My hosting provider, if applicable, is:
oracle cloud
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I am using getssl

2

detected os type = linux

Running \S
Kernel \r on an \m

checking for required which ... /usr/bin/which

checking for required openssl ... /usr/bin/openssl

checking for required curl ... /usr/bin/curl

checking for dig ... /usr/bin/dig

function dig found at /usr/bin/dig - setting DNS_CHECK_FUNC to dig

checking for required dirname ... /usr/bin/dirname

checking for required awk ... /usr/bin/awk

checking for required tr ... /usr/bin/tr

checking for required date ... /usr/bin/date

checking for required grep ... /usr/bin/grep

checking for required sed ... /usr/bin/sed

checking for required sort ... /usr/bin/sort

checking for required mktemp ... /usr/bin/mktemp

current code is version 2.35

Most recent version is 2.35

Testing working dir location '/etc/getssl'

Testing working dir location '/home/oracle/conf'

Testing working dir location '/home/oracle/.getssl'

reading config from /home/oracle/.getssl/getssl.cfg

Making working directory - /home/oracle/.getssl/ehr-crm.com

Making temp directory - /home/oracle/.getssl/ehr-crm.com/tmp

HAS NSLOOKUP=true

HAS DIG_OR_DRILL=dig

HAS HOST=true

Using certificate issuer: https://acme-staging-v02.api.letsencrypt.org

checking config

checked ACCOUNT_KEY_TYPE

checked PRIVATE_KEY_ALG

checking domain ehr-crm.com

DNS lookup using dig ehr-crm.com

DNS lookup using host ehr-crm.com

DNS lookup using nslookup -query AAAA ehr-crm.com

found IPv4 record for ehr-crm.com

ehr-crm.com: check_config completed - all OK

ca_all_loc from https://acme-staging-v02.api.letsencrypt.org gives

Boulder: The Let's Encrypt CA 

  <div class="col-xs-6 text-left">
    <h1>Boulder<br>
    <small>The Let's Encrypt CA</small></h1>
  </div>
</div>

<div class="row">
  <div class="col-xs-8 col-xs-offset-2 text-center">
    <h3>This is an <a href="https://github.com/letsencrypt/acme-spec/">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</h3>
    <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/"><tt>https://letsencrypt.org/</tt></a> for help.</p>
    <p>If you're trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-staging-v02.api.letsencrypt.org/directory"><tt>https://acme-staging-v02.api.letsencrypt.org/directory</a></tt>.</p>
  </div>
</div>
<div class="row">
  <div class="col-xs-4 col-xs-offset-2 text-center">
    <p><a href="https://letsencrypt.status.io" title="Twitter">
      <i class="fa fa-area-chart"></i>
      Service Status (letsencrypt.status.io)
    </a></p>
  </div>
  <div class="col-xs-4 text-center">
    <p><a href="https://twitter.com/letsencrypt" title="Twitter">
      <i class="fa fa-twitter"></i>
      Check with us on Twitter
    </a></p>
  </div>
</div> <!-- row -->

ca_all_loc from https://acme-staging-v02.api.letsencrypt.org/directory gives {
"7ieBqxqoAV4": "Adding random entries to the directory",
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "Staging Environment - Let's Encrypt"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}

Using API v2

getting certificate for ehr-crm.com from remote server (ehr-crm.com)
ehr-crm.com: no certificate obtained from host
creating account key /home/oracle/.getssl/account.key
creating key - /home/oracle/.getssl/account.key
creating key - /home/oracle/.getssl/ehr-crm.com/ehr-crm.com.key

created SAN list = subjectAltName=DNS:ehr-crm.com
creating domain csr - /home/oracle/.getssl/ehr-crm.com/ehr-crm.com.csr

jwk alg = RS256
Registering account

url https://acme-staging-v02.api.letsencrypt.org/acme/new-acct

KID is blank, so using jwk

payload = {"termsOfServiceAgreed": true}

responseHeaders HTTP/1.1 100 Continue

HTTP/1.1 201 Created
Server: nginx
Date: Wed, 28 Apr 2021 13:08:48 GMT
Content-Type: application/json
Content-Length: 868
Connection: keep-alive
Boulder-Requester: 19284140
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Link: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;rel="terms-of-service"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/acct/19284140
Replay-Nonce: 00048GtmYDcXiHsUp9N2sRbYK3Ho9v8BDqgJ7L2LFr8OOZk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

response { "key": { "kty": "RSA", "n": "tgI2lEjig7xRMyNfr0kT3srwqa7dg4su2tf_a6RrmD4T1MJCw6xHPFHvB0ugx32xywq7Kpl4_B9i_opg9jDcS-CI5dtvMrV02icMXHZy1AVTCyo2B5KYZQD8UJIRDnRH19KSs0_VGILzDYPBFzMzkJDQTgmkVwsUs3FhFB_pEC0N2PEqfaqfrZk_s-SorCHUL_ViPR8BEqMKovOoNClwTwUgBcn2RcdcP-qvGyomGR3A-q-8AuuFFdn1xABKcjL9sWbD9gXUS5MtmAsrgej4onEujZ7WNsPGViGT7eU1o7oric21y2mVyAPAf2DTzlIOCAudTt3NqZ1R01UwnPPlnQOubDhBgMOkGoDaXhkMPcPUjTB8sPp3hxIEwnw0o_w9VE7gzF1ggVmBG7eqiLcCLqmHuPJMJXVA6QOcWjHhE8EyI-4Ho0ueDBzodW566yrUsZvYnd4j0z3E6FkBTsOCx4WNuk73WDh7_neQCkYsji5C_QPBjMFf99YaneBJSvI8oR_rfTkQPWOvW9CFKV_I8DXbI0BCDZ7SMJDFRYR2vpljWQiCFhDpGAaBAO1c81VAZhr12d8xfeYVk1WViN2hl4Bzzq5NzYK5xXwCOWp1pWi4jeguXe18YZbN4FJ-h_hAQwZoOhCtGMVdXoHIUv6KYC29QKOm1gUt7D54TYOHMt8", "e": "AQAB" }, "contact": , "initialIp": "132.145.63.124", "createdAt": "2021-04-28T13:08:48.042006692Z", "status": "valid"}

code 201

response status = valid
Registered

KID=https://acme-staging-v02.api.letsencrypt.org/acme/acct/19284140}
Verify each domain

url https://acme-staging-v02.api.letsencrypt.org/acme/new-order

using KID=https://acme-staging-v02.api.letsencrypt.org/acme/acct/19284140

payload = {"identifiers": [{"type":"dns","value":"ehr-crm.com"}]}

responseHeaders HTTP/1.1 100 Continue

HTTP/1.1 201 Created
Server: nginx
Date: Wed, 28 Apr 2021 13:08:49 GMT
Content-Type: application/json
Content-Length: 343
Connection: keep-alive
Boulder-Requester: 19284140
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/19284140/40745209
Replay-Nonce: 0004dGZsBBwtVtgdfl0fNJBPfjQys93CJOSFrnfTD52Fqh8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

response { "status": "pending", "expires": "2021-05-05T13:08:49Z", "identifiers": [ { "type": "dns", "value": "ehr-crm.com" } ], "authorizations": [ "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36431836" ], "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/19284140/40745209"}

code 201

response status = pending

Order link https://acme-staging-v02.api.letsencrypt.org/acme/order/19284140/40745209

Finalize link https://acme-staging-v02.api.letsencrypt.org/acme/finalize/19284140/40745209

Requesting authorizations link for https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36431836

url https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36431836

using KID=https://acme-staging-v02.api.letsencrypt.org/acme/acct/19284140

payload =

responseHeaders HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 28 Apr 2021 13:08:50 GMT
Content-Type: application/json
Content-Length: 807
Connection: keep-alive
Boulder-Requester: 19284140
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0003nLc5RcpoWsK82FLmzpyD2NJ6YLV-P0bwum8IaIRpGDU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

response { "identifier": { "type": "dns", "value": "ehr-crm.com" }, "status": "pending", "expires": "2021-05-05T13:08:49Z", "challenges": [ { "type": "http-01", "status": "pending", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/W8OxfQ", "token": "XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304" }, { "type": "dns-01", "status": "pending", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/FkwURA", "token": "XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/-B0ffA", "token": "XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304" } ]}

code 200

response status = pending

wildcard=

Saving authorization response for ehr-crm.com for domain alldomains[0]

Response = { "identifier": { "type": "dns", "value": "ehr-crm.com" }, "status": "pending", "expires": "2021-05-05T13:08:49Z", "challenges": [ { "type": "http-01", "status": "pending", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/W8OxfQ", "token": "XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304" }, { "type": "dns-01", "status": "pending", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/FkwURA", "token": "XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/-B0ffA", "token": "XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304" } ]}
Verifying ehr-crm.com

authlink response = { "identifier": { "type": "dns", "value": "ehr-crm.com" }, "status": "pending", "expires": "2021-05-05T13:08:49Z", "challenges": [ { "type": "http-01", "status": "pending", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/W8OxfQ", "token": "XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304" }, { "type": "dns-01", "status": "pending", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/FkwURA", "token": "XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/-B0ffA", "token": "XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304" } ]}

uri https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/W8OxfQ

copying file from /home/oracle/.getssl/ehr-crm.com/tmp/XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304 to /opt/oracle/ords/conf/ords/standalone/doc_root/.well-known/acme-challenge
copying challenge token to /opt/oracle/ords/conf/ords/standalone/doc_root/.well-known/acme-challenge/XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304

copied /home/oracle/.getssl/ehr-crm.com/tmp/XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304 to /opt/oracle/ords/conf/ords/standalone/doc_root/.well-known/acme-challenge/XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304

wellknown_url http://ehr-crm.com/.well-known/acme-challenge/XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304
sending request to ACME server saying we're ready for challenge

url https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/W8OxfQ

using KID=https://acme-staging-v02.api.letsencrypt.org/acme/acct/19284140

payload = {}

responseHeaders HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 28 Apr 2021 13:08:51 GMT
Content-Type: application/json
Content-Length: 191
Connection: keep-alive
Boulder-Requester: 19284140
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Link: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36431836;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/W8OxfQ
Replay-Nonce: 0003NlJN5iEX8xM2uDCo6U290_pkhc7Ms1nw-D4kZ-YvVpY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

response { "type": "http-01", "status": "pending", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/W8OxfQ", "token": "XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304"}

code 200

response status = pending
checking if challenge is complete

url https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/W8OxfQ

using KID=https://acme-staging-v02.api.letsencrypt.org/acme/acct/19284140

payload =

responseHeaders HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 28 Apr 2021 13:08:53 GMT
Content-Type: application/json
Content-Length: 1111
Connection: keep-alive
Boulder-Requester: 19284140
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Link: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/36431836;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/W8OxfQ
Replay-Nonce: 0003EpcMyoDSM48CT-ty5LSQPNH6iETzPpn3MrkJFD1uWm8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

response { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Invalid response from http://ehr-crm.com/.well-known/acme-challenge/XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304 [2a02:4780:a:493:0:ec4:8b84:4]: "\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003eopenresty\u003c/cente"", "status": 403 }, "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/36431836/W8OxfQ", "token": "XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304", "validationRecord": [ { "url": "http://ehr-crm.com/.well-known/acme-challenge/XTE1ymitkC1SJmsMVpXTfFCXB2oso39TOQ0U-250304", "hostname": "ehr-crm.com", "port": "80", "addressesResolved": [ "152.67.136.178", "2a02:4780:a:493:0:ec4:8b84:4" ], "addressUsed": "2a02:4780:a:493:0:ec4:8b84:4" } ], "validated": "2021-04-28T13:08:51Z"}

code 200

response status = invalid

3

OK I am unable to attached the log but here os that I see in the details log

......
Using API v2

getting certificate for ehr-crm.com from remote server (ehr-crm.com)
ehr-crm.com: no certificate obtained from host
creating account key /home/oracle/.getssl/account.key
creating key - /home/oracle/.getssl/account.key
creating key - /home/oracle/.getssl/ehr-crm.com/ehr-crm.com.key
.........

Also challenge is also failing but I guess that is OK

4

Hi @ouamboh

that's not ok, that's the first and most important problem.

But there

https://ehr-crm.com/

is already a Letsencrypt certificate. Looks like you use a Hostinger integrated solution.

???

Your account has been created!

ehr-crm.com

Website ehr-crm.com has been successfully installed on server! Please delete the file default.php from the public_html folder and then upload your website by using FTP or File Manager.

You have ipv4 and ipv6. I see the ipv6 in my browser. May be only your ipv4 points to the oracle cloud.

5

Hi Juergen,

Thank you for getting back to me. Actually the domain is hosted at Hostinger, but I have actually pointed on a compute instance in the Oracle Cloud where I am hosting the application.

so I am running the ./getssl command from the compute instance as this is where I want to secure the app. I get th e.key but no .crt files.

is my settup the issue here ?
Hostiger who is hosing the domain has given me a cert. But I am trying to get a cert using the same domain from a compute instance in the Oracle Cloud env.

6

Hi @ouamboh,

It looks like you have the following setup:

  • ip4 -> Oracle Cloud env
  • ip6 -> Hostinger

When the Letsencrypt server checks the challenge token it uses the ip6 address, tries to load the token from Hostinger, and can't find it.

This is from the last line of the output above which states that the response was "Not Found" and the addressUsed value is an ip6 address.

If you change your ip6 DNS record to also point to your Oracle Cloud env then it should work

Tim
(one of the maintainers of getssl)

2 Likes
7

@timkimber
Thanks for the response, it turned out that my vlan in the cloud env did not support ip6. I will try to enable it and see if it helps (enabling it means trashing everything and starting from scratch in the Oracle Cloud Env). I am not sure when I will do it but everything you said make sense.
I will post back the result here when done.
Cheers

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.