Renewing none www version fails

Hi,
We have a web site builder with thousands of websites.
We are using Greenlock-express.

When renewing ssl for a domain I succeed with the www version of the domain but get an error
for the none www version.

for example www.mybooks.co.il worked fine.
mybooks.co.il fails.

I get - Error: authorizations were not fetched

Thanks!!!

There’s almost no chance of us figuring out what’s wrong with your Greenlock integration unless you can post a runnable application that exhibits the problem.

Hi @shlomi_st

I don't find a direct error. But checking your files there are http status 200, 404 are expected:

The last two - the file names are testnames, so they don't exist. Checked with my own online-tool https://check-your-website.server-daten.de/?q=mybooks.co.il

I don't use this client. Are there more error messages or a protocol?

Thanks for the reply.
When trying to create the certificate for https://www.mybooks.co.il i get the following errors:

[acme-v2.js] authorizations were not fetched:
{ type: ‘urn:ietf:params:acme:error:malformed’,
detail: ‘JWS verification error’,
status: 400 }
[acme-v2] handled(?) rejection as errback:
Error: authorizations were not fetched
at /home/chderen/www/node_modules/acme-v2/node.js:588:31
at

You have one certificate created today.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.mybooks.co.il&lu=cert_search

But why does your webserver sends a 200 instead of a 404 when checking an non existent file like

http://www.mybooks.co.il/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

or

http://mybooks.co.il/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

This is an error of your webserver. So Letsencrypt tries to validate such a file and gets the wrong content, not the content expected.

That's an unusual error. Let's Encrypt thinks the ACME client is sending some sort of invalid request.

Are you running the latest version of greenlock-express?

It seems to support extensive debug logging, including HTTP requests and responses. I'm not sure how to turn it on, or if it's on by default.

Can you enable it -- if necessary -- and post a full log of what happened?

Thanks for the reply.
I will check it

Hi,
We've fixed the 404 issue. Still some of the domains without the www fail to create ssl Cerl.
For example - https://boozers.beer.

https://check-your-website.server-daten.de/?q=boozers.beer

Any Idea?

You have a certificate with the www-domainname, created today.

What's the difference between your www- and your non-www version? (Server configuration)

www works, non-www has a SendFailure error.

But it's not a https -> port 80 or http -> port 443 - error.

Now checked with Ssllabs:

https://www.ssllabs.com/ssltest/analyze.html?d=boozers.beer&hideResults=on

Error: Failed to communicate with the secure server

Explantation:

Failed to communicate with the secure server - No secure protocol supported. Possibly this server only supports a draft version of TLS 1.3

So your Ssl-configuration of the non-www version looks broken.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.