Spectrum ISP prevents getting certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ytremote.us.to

I ran this command: sudo certbot certonly --webroot -w /var/www/example/ -d ytremote.us.to

It produced this output:
dittmer@dittmer-1:~$ sudo certbot certonly --webroot -w /var/www/example/ -d ytremote.us.to
[sudo] password for dittmer:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ytremote.us.to
Using the webroot path /var/www/example for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. ytremote.us.to (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ytremote.us.to/.well-known/acme-challenge/gPVpPsvQ0yulxmKocWL8uSoiHxvSpDVNvpSh0ccQ5CM: "

404 Not Found

Not Found

<p"

IMPORTANT NOTES:

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu Server 14.04.5

I can login to a root shell on my machine.

I believe the problem is spectrum. I can not load my own website from my own internet unless i use my servers local ip address. I don’t know why spectrum does this, but they do. I believe this causes the verification to fail because the script is ran from the server and it tries to connect to the public ip address of my server, which for whatever reason, spectrum does not allow.


#2

But the verification is carried out by servers of Let’s Encrypt. Not by the server where the client is being ran. Wouldn’t be allowed of course, validating the domain yourself :wink:

Is the webroot correct? Why do you use certonly when you can also use the --apache plugin? Do you have a specific need for it, or did you follow a guide which doesn’t know the --apache plugin exists?


#3

Well, in the end, my certificate will by used by node.js for socket.io.

I am creating a chrome extension that needs websockets, but chrome is preventing it from working because of the fact that the websocket isnt served with https while the extension is running on a https website.

I have now ran the command with different parameters (ran it in manual mode) and it verified correctly, but now it wont issue me a certificate because of the us.to subdomain i have. It says there are too many certs for us.to


#4

Is that domain used (i.e., shared) by multiple users? If so, you can indeed run into rate limits if the domain isn’t on the Public Suffix List.


#5

.us.to is a free subdomain service which i used to get a simpler domain than sharing my public ip in the end. it is used by many people. What would you recommend i do instead? This is a side project so i would like to avoid spending money on a domain (at least until its complete) but i need a domain and a cert to make it work.


#6

As far as I know, free subdomain services should be able to put themselves on the Public Suffix List. That’s actually what the Public Suffix List is for: preventing cookies and other security vulnerable stuff being transferred between subdomains. However, only the owner of the domain can request the domain to be added.

So there are a few options:

  • Ask the owner of us.to to add its domain to the Public Suffix List. This won’t help you directly, as the process takes time and it takes time again for Let’s Encrypt to pick up a recent version of the list. That’s done on regular basis, but not daily.
  • Use a free subdomain service already on the Public Suffix List
  • Keep trying getting a certificate, i.e., “hammer” the rate limit. This isn’t guaranteed to work though and could take some time.

#7

Hmmm. Okay, thank you for your help. I think i will look for a different subdomain service.

I really appreciate your time!


#8

I remember that us.to owner in a previous post claimed that he is trying to add the domain to PSL… (Not sure when it will be in effect)

Thank you


#9

Nope: https://github.com/publicsuffix/list/issues/271

The owner has no interest in being on the PSL. It were users who wanted the many, MANY domains listed in the PSL, but was denied.


#10

Emm…
Take a look at this one…( Not sure if that’s the real us.to owner or just someone who pretending to be… But he seems to submitted the us.to rate limit increase form)


#11

There might be others I’m not aware of, but freenom.com has a number of TLDs where you can “buy” a domain for free. You’d still have to deal with getting your new domain to point to your dynamic home IP. But there are a number of ways to deal with that.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.