Request Failed issue

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.circuitsunited.com, circuitsunited.com

I ran this command:Let’s encrypt via Virtualmin request

It produced this output:
Requesting a certificate for circuitsunited.com, www.circuitsunited.com from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :

circuitsunited.com challenge did not pass: Invalid response from http://circuitsunited.com/.well-known/acme-challenge/L-ieF5elL5w5oi7A76lrgrzuE5AgXFt-w3468g3kCyk [52.53.65.35]: “\n\n404 Not Found\n\n

Not Found

\n<p”

DNS-based validation failed : Failed to request certificate :

circuitsunited.com challenge did not pass: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.circuitsunited.com

My web server is (include version): apache2

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: Gandi.net
cname and A records configured

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Virtualmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): No

I did look at some of the submitted topics but none of them addressed my issue clearly. I’m learning to build companies tech from the ground up. I’m coming from a "manage existing tech to now doing everything myself. Usually all the SSL/Server and configs are setup and I’d just pick up admin duties from the previous person so please be as specific as you can. You are welcome to totally dumb it down and I will not be offended.
I appreciate your help in advance.

Regards,
cuadmin

2

Your domain has two IP addresses in DNS, but only one of the servers actually serves up your website. The other one gives a forbidden error.

circuitsunited.com. 0 IN A 52.53.65.35
circuitsunited.com. 0 IN A 52.52.52.169

Most likely you want to get rid of the .169 A record.

1 Like
3

The .169 ip is for my email server. Should I remove it then add it back after the cert is in place?

4

That sounds wrong to me. The way you have things right now, when you visit circuitsunited.com in a browser, you have a 50% chance of connecting to your web server, and 50% chance of connecting to your mail server. That’s very unlikely to be a correct configuration.

Your domain’s mail is currently handled by by Gandi’s mail servers:

circuitsunited.com.     10800   IN      MX      10 spool.mail.gandi.net.
circuitsunited.com.     10800   IN      MX      50 fb.mail.gandi.net.

If you have a separate mail server, then you should create a separate record for it, like:

mail.circuitsunited.com. 3600 IN A 52.52.52.169

and then point the MX records of the domains it hosts mail for, to mail.circuitsunited.com..

2 Likes
5

Ah, I see. I've removed to record for my mail server and added it as (subdomain).circuitsunited.com. It will take some time for the records to update. I'll post the results after I try again.

Thanks for the guidance.

6

Received the same error so far see below. I’m going to reboot both email and web server to see if that helps.

Request Certificate
In domain circuitsunited.com

Requesting a certificate for circuitsunited.com, www.circuitsunited.com from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :

circuitsunited.com challenge did not pass: Invalid response from http://circuitsunited.com/.well-known/acme-challenge/_Rog-0xKzncW5KO6hLHergk2aEhtxRSmi6qfl4qhpxk [52.53.65.35]: “\n\n404 Not Found\n\n

Not Found

\n<p”

DNS-based validation failed : Failed to request certificate :

circuitsunited.com challenge did not pass: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.circuitsunited.com

7

Is 52.53.65.35 your Virtualmin server?

Or to phrase it another way, what is the IP address of your Virtualmin server?

1 Like
8

No. Virtualmin is installed on my email server. The address you posted it my web server address…rather it’s the public address of my elastic IP for my ec2 instance on AWS. I’m only using Virtualmin for it’s email server scripting. The .169 address we spoke of is where Virtualmin is installed.

9

Ah.

With this domain and server setup, you can’t create a certificate for circuitsunited.com from your Virtualmin server.

Your EC2 server can issue certificates for circuitsunited.com and www.circuitsunited.com because those domains actually point to the EC2 server.

In a similar vein, your Virtualmin server can only issue a certificate for domains that point to it, such as your mail subdomain.

Does that sort of make sense?

What is your final goal here? If it is to secure your Virtualmin server, then you should request a certificate for only the domains that point to your Virtualmin server, such as your mail subdomain.

10

Yes that makes complete sense…

I want to make sure that my ((sub)domains) are secured as well as the virtualmin server as it’s the server that is most critical as it will be communicating with other email servers. Without having a cert other email servers will see my server/domain as spam and blacklist it.

I tried to add the subdomain to the list, I too thought all IP’s with an association to my main domain need to be listed.

Here is the error received when I did that:

Requesting a certificate for circuitsunited.com(delink), www.circuitsunited.com(delink), cumail.circuitsunited.com(delink) from Let’s Encrypt …
… request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for circuitsunited.com(delink)
http-01 challenge for cumail.circuitsunited.com(delink
http-01 challenge for www.circuitsunited.com(delink)
Using the webroot path /home/cuadmin/public_html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. circuitsunited.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://circuitsunited.com/.well-known/acme-challenge/jtn0At0d3pimVfFtRhxHmfeIPbozRxEFdAlvJlnfx6E [52.53.65.35]: “\n\n404 Not Found\n\n

Not Found

\n<p”, www.circuitsunited.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.circuitsunited.com/.well-known/acme-challenge/1atg9yIirdJE6DWva-ekoyxrfgb29VWy0UbJxbJR7e4 [52.53.65.35]: “\n\n404 Not Found\n\n

Not Found

\n<p”
IMPORTANT NOTES:

I have tried to only include the domain that my virtualmin is on. That also failed.

11

You mean that you got Virtualmin to request a certificate for only cumail.circuitsunited.com?

I would expect that to succeed. Can you share the error you got with that?

The errors for the other two domains are normal/expected.

1 Like
12

You were right. My logs only show I requested certs for base domain and sub. Tried it with just the cumail.circuitsunited.com and it worked.

So it looks like I’ll need to install ssl certs on my web server from the console or through AWS as you suggested.

Thanks again.

2 Likes
13

I have successfully added my certs to my email server and my webserver. Email server https:// works fine but my webserver does not. https:// says :ERR_SSL_PROTOCOL_ERROR

I have verified port 443 is open and my vhost has my ip:443

looked at why no pad lock :
SSL Connection - Errors

The SSL certificate tests failed. Please be sure that you can connect to your site over SSL and try again.

Mixed Content - Errors

The Mixed content tests failed. Please be sure that you can connect to your site over SSL and try again.
Error Returned: net::ERR_SSL_PROTOCOL_ERROR at https://www.circuitsunited.com

Any Ideas?

14

The website is running HTTP on port 443 instead of HTTPS.

http://www.circuitsunited.com:443/

Can you post “sudo apachectl -S”?

15

Here is the output of the command requested.

VirtualHost configuration:
52.53.65.35:443 is a NameVirtualHost
default server www.circuitsunited.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost www.circuitsunited.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
alias circuitsunited.com
port 443 namevhost circuitsunited.com (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

16

Hi @cuadmin

there are duplicated entries. And where is your (working) port 80 vHost?

The vHost with two domain names may be correct, but if you have more then combination port + domain name, the wrong vHost is used.

So check the vHost with the alias, if this is correct. Then remove the last vHost. Then recheck your domain - now it's a Grade Q, http over port 443.

17

Hows this:

52.53.65.35:443 www.circuitsunited.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
52.53.65.35:80 circuitsunited.com (/etc/apache2/sites-enabled/000-default.conf:2)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

18

You have already created the correct certificate ( https://check-your-website.server-daten.de/?q=circuitsunited.com#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-07-28 2019-10-26 circuitsunited.com, www.circuitsunited.com - 2 entries duplicate nr. 2
Let's Encrypt Authority X3 2019-07-28 2019-10-26 circuitsunited.com - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-07-26 2019-10-24 circuitsunited.com, www.circuitsunited.com - 2 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-07-26 2019-10-24 cumail.circuitsunited.com - 1 entries duplicate nr. 1

But your https doesn't work, again Grade Q, http over Port 443.

Domainname Http-Status redirect Sec. G
http://circuitsunited.com/
52.53.65.35 200 0.343 H
http://www.circuitsunited.com/
52.53.65.35 200 0.350 H
https://circuitsunited.com/
52.53.65.35 -4 0.670 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
https://www.circuitsunited.com/
52.53.65.35 -4 0.674 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
http://circuitsunited.com:443/
52.53.65.35 200 0.337 Q
Visible Content: Circuits United LLC is a Top to Bottom Technology Consultant and Service provider. Full site coming soon. For Consulting or Services please contact circuitsunitedllc@gmail.com. Thanks
http://www.circuitsunited.com:443/
52.53.65.35 200 0.340 Q
Visible Content: Circuits United LLC is a Top to Bottom Technology Consultant and Service provider. Full site coming soon. For Consulting or Services please contact circuitsunitedllc@gmail.com. Thanks

Did you restart your server?

Share the content of

/etc/apache2/sites-enabled/000-default-le-ssl.conf

there must be an error.

19

rebooted, reloaded apache2, updated, upgraded…:nerd_face: if I didn’t love all things tech i’d be frustrated right now :grin:

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com 
    ServerAdmin webmaster@example.com
    DocumentRoot /var/www/html


    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

ServerName www.circuitsunited.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias circuitsunited.com
SSLCertificateFile /etc/letsencrypt/live/www.circuitsunited.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.circuitsunited.com/privkey.pem

20

Where is there a listen 443?

Is this a <VirtualHost *:443> - block? Perhaps you need a SSL On. And is the vHost active? sudo a2ensite config.file?