Problem generating cert for main domain, www works fine


#1

I am having issues trying to issue a cert for the main domain. I issued for www previously so I was expanding the cert and it is failing. I tried creating a second cert just for the main domain and am getting the same error. I can provide the verbose log as well but do not see a way to upload the file and it is quite a number of line.

I forgot to mention that we have the servers behind an HAProxy load balancer. Unsure if that is causing the issue here.

My domain is: dumboauctions.com

I ran this command: ./certbot-auto -d dumboauctions.com -d www.dumboauctions.com -v

It produced this output:

My web server is (include version): Apache/2.2.22 (Debian)

The operating system my web server runs on is (include version): Debian GNU/Linux 7.8 (wheezy)

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Server is on AWS so I guess?


#2

Hi,

I’m unclear why do you have two sets of IP addresses in both hostnames.

Is that a load balancing setup?
Is both IPs serving the same site? (It seems that 52.73.154.88 does not have your site on the server)

Can you try to remove 52.73.154.88 from both DNS and see if that shows the correct content?

Thank you


#3

Hi @fclaycomb

additional: Looks like there are different servers:

Fetching your main domain:

download http://dumboauctions.com/ -h
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Mon, 17 Sep 2018 22:46:43 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: https://dumboauctions.com
Set-Cookie: PHPSESSID=rd8ifhckdrj9ae3d7j803gjln2; path=/,auctionmobility_referer=null; expires=Wed, 17-Oct-2018 22:46:43 GMT; Max-Age=2592000; path=/; domain=dumboauctions.com,HAPID=prod-web-24; path=/
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Length: 0
Connection: keep-alive

Status: 301 MovedPermanently
1339,39 milliseconds
1,34 seconds

This is a normal Apache with a redirect.

But fetching the file Letsencrypt want’s to see:

download http://dumboauctions.com/.well-known/acme-challenge/1234 -h
Error (1): Der Remoteserver hat einen Fehler zurückgegeben: (404) Nicht gefunden.
ProtocolError
Connection: keep-alive
Content-Length: 19
Content-Type: text/plain
Server: haproxy/acme-http01-authenticator

Status: 404 NotFound
404

319,63 milliseconds
0,32 seconds

There is a Server: haproxy/acme-http01-authenticator as header.

Perhaps this instance works with your www - domain. But not with your non-www-domain.

Using the two ip-addresses (/ and /.well-known/acme-challenge/1234) -->> the same result.

So it looks that the two ip-addresses send the same content.


#4

I forgot to mention that we have the servers behind an HAProxy load balancer. Unsure if that is causing the issue here.


#5

Looks that Certbot saves the validation file in the directory of your Apache.

But your HAProxy catches all GET requests under /.well-known/acme-challenge/ - so Letsencrypt gets the wrong answer.

So your HAProxy - configuration should be changed. There may be a block which catches /.well-known/

Try to deactivate that (first, create a backup).


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.