Not working certificate with www


#1

Hi, I have installed the certificate on my VPS is hosted on Digitalocean.
I have installed the certificate on NGINX, and seems to work fine, Only that if I insert in the WWW domain, the domain is not certified.
So I run the command:
./letsencrypt certonly --webroot -w /home/nginx/domains/example.com/public -d www .example.com -d example.com
and the WWW domain, I recognize it:

You have an existing certificate that contains a portion of the
domains you requested (ref: /etc/letsencrypt/renewal/example.it.conf)
It contains these names: example.it
You requested these names for the new certificate: www .example.it,
example

Do you want to expand and replace this existing certificate with the
new certificate?

It gives me the error:

Failed authorization procedure. example.it (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain ::

Could not connect to http:// www.example.it/.well-known/acme-challenge/rW44OWQnQsD-87JNwsBGk2-0sum9sZZJXRd13IEmHoBYY, example.it (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http:// example.it/.well-known/acme-challenge/GdT33GYQPgZDRRd01F4579WweBZz-rpdu-yBIPiOI9UiQ

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: example.it
Type: connection
Detail: Could not connect to http:// www.example.it/.well-known/acme-
challenge/rW44OWQnQsD-87JNwsBGk2-0sum9sZZJXRd13IEmHoBYY

Domain: example.it
Type: connection
Detail: Could not connect to http:// example.it/.well-known/acme-
challenge/GdT33GYQPgZDRRd01F4579WweBZz-rpdu-yBIPiOI9UiQ

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

How can I make sure that www .example.it certified? and not just https: //example.it


#2

What would happen if you ran curl on one of the http verification URLs that was mentioned in the error message?


#3

Sorry for my bad english,maybe I did not understand what you asked me. I run:
http://www.example.it/.well-known/acme-challenge/XsDJZLAJ5DMIEH2YmX5MhnjO2Lr99l40CgSrzQWIgZw
And I have received:

`

404 Not Found

404 Not Found


nginx `

#4

Hi @Xanger, do you remember what command you originally used when you obtained your old certificate successfully?


#5

These are exactly the commands that I have done for the SSL certificate (I am using Centmin Mod):

mkdir -p /etc/ssl/private chmod 710 /etc/ssl/private cd /etc/ssl/private openssl dhparam -out dhparams.pem 2048 chmod 600 dhparams.pem service nginx stop sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt cd /opt/letsencrypt ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth


#6

@Xanger, there are different plugins that provide different authentication methods to prove that you control the domain. They each work in a different way, and you’re apparently using different ones in different situations here (standalone when you successfully obtained the certificate, and webroot when you were unsuccessful in renewing it).

The service nginx stop is useful if you’re using the standalone authenticator, but not if you’re using the webroot authenticator. These are two different features of the client that perform the authentication in quite different ways. If you used the standalone authenticator successfully before, you might be able to get the renewal to work by stopping nginx again and using --standalone as part of your renewal command (instead of --webroot and instead of specifying your webroot location).

If you do want to use webroot, you probably have to figure out how to make sure that your nginx configuration allows you to server .well-known resources (I think there are other threads on the forum that deal with that problem). However, the different between the success when you originally got the certificate and the failure when trying to renew it is probably related to trying to use standalone the first time and webroot for the renewal.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.