SSL Certificate DNS Error

Arao · July 9, 2021, 7:09am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: support.konspec.in

I ran this command: certbot certonly --webroot -w /var/www/osticket/upload -d support.konspec.in

It produced this output:

Domain: support.konspec.in
Type: connection
Detail: Fetching http://support.konspec.in/.well-known/acme-challenge/jQCeNb5jJXg_1DsZjFznS8P522rPiqcp_VLVF2qqs6g: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2021-07-09 12:12:34,146:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubunto 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Additional Information: My server already has a website running on port 80. Let us call it test.konspec.in which is already protected by another Letsencrypt SSL certificate. It is not a wildcard certificate.

I created a new file in /etc/nginx/sites-available called support.konspec.in and chose to use another port.

server {
listen 8081;
server_name support.konspec.in; ## change server_name as per your domain name.
root /var/www/osticket/upload;
index index.php index.html index.htm;

I had also tried port 80 and the default_server directive as given in example configurations but it did not work. Also, I have a a firewall with 2 Internet gateways. I disabled one of them because Certbot tends to choose the wrong gateway to what is listed in my DNS A Record.

nslookup output from the server.

12:34:11 [root@crmtest sites-available]# nslookup test.konspec.in
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: test.konspec.in
Address: 172.25.1.13

It resolves to the local server IP because I have added a DNS entry in my firewall device.

12:38:07 [root@crmtest sites-available]# nslookup support.konspec.in
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: support.konspec.in
Address: 117.247.188.128
Name: support.konspec.in
Address: 43.254.162.114

What could be the issue?

_az · July 9, 2021, 7:14am

When you have two DNS A records published for your domain, the Let's Encrypt validation servers will have a 50% chance of picking either IP address.

These validation servers are out on the internet, external to your LAN, external to Certbot.

All of the IP addresses published for your domain need to be capable of responding to HTTP requests.

Right now, only one of them does:

$ curl -i -m10 --resolve support.konspec.in:80:43.254.162.114 http://support.konspec.in
HTTP/1.1 404 Not Found

The other one times out:

$ curl -i -m10 --resolve support.konspec.in:80:117.247.188.128 http://support.konspec.in
curl: (28) Connection timed out after 10000 milliseconds

Arao · July 9, 2021, 7:59am

Thanks for your reply @_az.

I deleted one entry from the A record and retained only 1 IP - 43.254.162.114 on DNS although both are fully functional. Not sure why the other IP timed out.

Anyway, with a single IP resolving to support.konspec.in, I get this result.

http-01 challenge for support.konspec.in
Using the webroot path /var/www/osticket/upload for all unmatched domains.
Waiting for verification...
Challenge failed for domain support.konspec.in
http-01 challenge for support.konspec.in
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: support.konspec.in
Type: unauthorized
Detail: Invalid response from
http://support.konspec.in/.well-known/acme-challenge/minIoYpBnZ8V-IkQQVfOic4BAkUBjGUQsJcVcPA6xIg
[43.254.162.114]: "\r\n404 Not
Found\r\n\r\n

404 Not
Found
\r\n
nginx/1.18.0 (Ub"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

Is it looking for port 80 whereas my config file /etc/nginx/sites-available/support.konspec.in.conf has 8081 listed?

Regards,
Anand

griffin · July 9, 2021, 8:05am

Welcome to the Let's Encrypt Community, Anand

What is the output of:

sudo nginx -T

_az · July 9, 2021, 8:07am

Yeah, if you're doing some tricky port-forwarding or proxying, you might need to tell Certbot to use 8081 as its bind port for the HTTP challenge:

--http-01-port 8081

Arao · July 9, 2021, 8:13am

Thanks @_az . I added the --http-01-port 8081 option and got this,

Domain: support.konspec.in
Type: unauthorized
Detail: Invalid response from
http://support.konspec.in/.well-known/acme-challenge/K7Y9FvZPFvTEkJRMXageRhdzE4eLgTAsfC5DVl2z9Co
[43.254.162.114]: "\r\n404 Not
Found\r\n\r\n

404 Not
Found

\r\n

nginx/1.18.0 (Ub"

griffin · July 9, 2021, 8:13am

@_az

I don't think that will work if the 8081 is external.

griffin · July 9, 2021, 8:15am

Can you edit your last post and put 3 backticks above and below, like this:

```
output
```

_az · July 9, 2021, 8:16am

Ah, you are right. nginx is bound to both ports.

Might be worth trying to add one for port 80 then. Good luck, it's dinner time .

griffin · July 9, 2021, 8:17am

Enjoy your dinner!

Arao · July 9, 2021, 8:17am

# nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/crmapitest.konspec.in.conf:
server {

    root /var/www/crmstaging;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;
    server_name crmapitest.konspec.in; # managed by Certbot

    #add_header 'Access-Control-Allow-Origin' '*';

    location / {
            #add_header 'Access-Control-Allow-Origin' '*';
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/crmapitest.konspec.in/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/crmapitest.konspec.in/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = crmapitest.konspec.in) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name crmapitest.konspec.in;
    listen 80;
    return 404; # managed by Certbot


}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

# configuration file /etc/nginx/conf.d/crmtest.konspec.in.conf:
server {

    root /var/www/crmwebstaging;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;
    server_name crmtest.konspec.in; # managed by Certbot

    #add_header 'Access-Control-Allow-Origin' '*';

    location / {
            #add_header 'Access-Control-Allow-Origin' '*';
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/crmtest.konspec.in/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/crmtest.konspec.in/privkey.pem;
}

# configuration file /etc/nginx/sites-enabled/osticket.conf:
server {
listen 8081;
server_name support.konspec.in;   ## change server_name as per your domain name.
root /var/www/osticket/upload;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
index index.php index.html index.htm;


# Enable gzip
gzip on;
gzip_min_length 1000;
gzip_types text/plain application/x-javascript text/xml text/css application/xml;

set $path_info "";

location ~ /include {
deny all;
return 403;
}

if ($request_uri ~ "^/api(/[^\?]+)") {
set $path_info $1;
}

location ~ ^/api/(?:tickets|tasks).*$ {
try_files $uri $uri/ /api/http.php?$query_string;
}

if ($request_uri ~ "^/scp/.*\.php(/[^\?]+)") {
set $path_info $1;
}

location ~ ^/scp/ajax.php/.*$ {
try_files $uri $uri/ /scp/ajax.php?$query_string;
}

location / {
try_files $uri $uri/ index.php;
}

location ~ \.php$ {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
}

# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

# configuration file /etc/nginx/fastcgi.conf:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

griffin · July 9, 2021, 8:18am

Backticks ( ` ) not periods, my friend. It's located on the key right below escape.

Arao · July 9, 2021, 8:18am

@griffin Thanks!

I don't understand what you mean by external.

Arao · July 9, 2021, 8:20am

My apologies. Have edited it.

griffin · July 9, 2021, 8:20am

I think you have nginx listening on port 8081 from outside your network. Likely port 80 as well.

griffin · July 9, 2021, 8:20am

That's much better!

Arao · July 9, 2021, 8:23am

Definitely not something I have configured! This is the only server in my entire network running nginx. There is another web server running IIS on 80 within the same LAN as this Ubuntu server.

I definitely do not have any proxy server or some other device listening on 8081.

griffin · July 9, 2021, 8:27am

I'm digging through the configuration now.

In the meantime, just for clarity, what external ports are routed to what internal ports?

griffin · July 9, 2021, 8:37am

Here's what you've got for nginx:

IPv4 Port 80 (http):

crmapitest.konspec.in

IPv4 Port 443 (https):

crmapitest.konspec.in
crmtest.konspec.in

IPv6 Port 443 (https):

crmtest.konspec.in

IPv4 Port 8081 (http):

support.konspec.in

Since nginx matches virtual hosts by IP address and port then by server name, all port 80 requests over IPv4 will be handled by the crmapitest.konspec.in IPv4 port 80 server block.

http://nginx.org/en/docs/http/request_processing.html

Since the certbot nginx authenticator adds an exception to the used port 80 server block to serve the authentication files, it doesn't actually matter what server_name is specified in that server block. Therefore, there's no need to add a separate port 80 server block with the correct server_name. It's a bit hacky, but it works.

Run this:

sudo certbot certonly --nginx -d "support.konspec.in"

Are you planning to turn port 8081 into an https port or create a new port for https and forward port 8081 to it or ?

Arao · July 9, 2021, 9:10am

Oh thanks a lot @griffin for your pointers.

I managed to generate the certificates this way.

#certbot certonly --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: crmapitest.konspec.in
2: crmtest.konspec.in
3: support.konspec.in
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 3
Attempting to parse the version 1.16.0 renewal configuration file found at /etc/letsencrypt/renewal/crmapitest.konspec.in.conf with version 0.40.0 of Certbot. This might not work.
Attempting to parse the version 1.16.0 renewal configuration file found at /etc/letsencrypt/renewal/crmtest.konspec.in.conf with version 0.40.0 of Certbot. This might not work.
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for support.konspec.in
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges

I am now stuck with another problem that https is not working in the config file.