SSL certificate failing for redirected domain

I successfully generated an SSL certificate for the main domain, awesomehalal.com and www.awesomehalal.com. I'm having difficulty adding awesomehalalandgyro.com, which redirects to awesomehalal.com via DNS, to the certificate. I have tried various nginx configs and most recently tried duplicating the config from awesomehalal.com as a separate file for awesomehalalandgyro.com.

My domain is: awesomehalal.com & awesomehalalandgyro.com

I ran this command: sudo certbot --nginx -d awesomehalal.com -d www.awesomehalal.com -d awesomehalalandgyro.com -d www.awesomehalalandgyro.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/awesomehalal.com.conf)

It contains these names: awesomehalal.com, www.awesomehalal.com

You requested these names for the new certificate: awesomehalal.com,
www.awesomehalal.com, awesomehalalandgyro.com, www.awesomehalalandgyro.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate for awesomehalal.com and 3 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: awesomehalalandgyro.com
  Type:   unauthorized
  Detail: 192.64.119.128: Invalid response from http://awesomehalal.com: "<!DOCTYPE html>\n<html>\n  <head>\n    \n      <title>\n        \n          \n          Awesome Halal and Gyro\n        \n      </title>\n"

  Domain: www.awesomehalalandgyro.com
  Type:   unauthorized
  Detail: 192.64.119.128: Invalid response from http://www.awesomehalal.com: "<!DOCTYPE html>\n<html>\n  <head>\n    \n      <title>\n        \n          \n          Awesome Halal and Gyro\n        \n      </title>\n"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

awesomehalal nginx config:

server {
    #index index.html index.nginx-debian.html;

    server_name awesomehalal.com www.awesomehalal.com;

    location /static {
        alias /home/danny/awesomehalal/app/static;
    }

    location / {
        proxy_pass http://localhost:8000;
        include /etc/nginx/proxy_params;
        proxy_redirect off;
    }

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

}

awesomehalalandgyro nginx config:

server {
    #index index.html index.nginx-debian.html;

    server_name awesomehalalandgyro.com www.awesomehalalandgyro.com;

    location /static {
        alias /home/danny/awesomehalal/app/static;
    }

    location / {
        proxy_pass http://localhost:8000;
        include /etc/nginx/proxy_params;
        proxy_redirect off;
    }

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

}

Welcome to the community @drpernik

Your new gyro domain has its DNS pointing to a different server.

Certbot --nginx plug-in only adjusts the nginx on the same system certbot runs on.

nslookup awesomehalal.com
Address: 89.116.212.113

nslookup awesomehalalandgyro.com
Address: 192.64.119.128

If these will be separate, then run Certbot on each of them.

UPDATE: I just realize what you meant when you said you redirected it. You should probably just change the DNS in Namecheap to point directly to the IP address of the server rather than using the URL Forward service.

6 Likes

Supplemental information:

$ curl -Ii http://awesomehalal.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 NOT FOUND
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 02 Mar 2023 00:05:19 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4507
Connection: keep-alive
$ curl -Ii http://www.awesomehalal.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 NOT FOUND
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 02 Mar 2023 00:05:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4507
Connection: keep-alive
$ curl -Ii http://awesomehalalandgyro.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Thu, 02 Mar 2023 00:05:49 GMT
Connection: keep-alive
Location: http://awesomehalal.com
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
$ curl -Ii http://www.awesomehalalandgyro.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Thu, 02 Mar 2023 00:05:59 GMT
Connection: keep-alive
Location: http://www.awesomehalal.com
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
$ nmap -Pn awesomehalal.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-02 00:07 UTC
Nmap scan report for awesomehalal.com (89.116.212.113)
Host is up (0.028s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 5.65 seconds
$ nmap -Pn www.awesomehalal.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-02 00:07 UTC
Nmap scan report for www.awesomehalal.com (89.116.212.113)
Host is up (0.047s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 5.37 seconds
1 Like

Please explain better:

2 Likes

I mean: I don't see any DNS "redirection"

Name:    awesomehalal.com
Address: 89.116.212.113
Name:    www.awesomehalal.com
Address: 89.116.212.113
Name:    awesomehalalandgyro.com
Address: 192.64.119.128
Name:    www.awesomehalalandgyro.com
Address: 192.64.119.128
2 Likes

Here it is. It's the Namecheap URL Forward service. It's set in Namecheap's DNS config section if I recall correctly

curl -i awesomehalalandgyro.com

HTTP/1.1 301 Moved Permanently
Location: http://awesomehalal.com
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx

<a href='http://awesomehalal.com'>Moved Permanently</a>.

The DNS for "gryo" domains should have the same IP as the other domain (almost certainly)

4 Likes

Well, it none-the-less fails to properly redirect the ACME challenge requests:
[via HTML - NOT done in DNS]

curl -i http://awesomehalalandgyro.com/.well-known/acme-challenge/TEst_File-1234
HTTP/1.1 301 Moved Permanently
Date: Thu, 02 Mar 2023 02:03:13 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 58
Connection: keep-alive
Location: http://awesomehalal.com   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
<a href='http://awesomehalal.com'>Moved Permanently</a>.

curl -i http://www.awesomehalalandgyro.com/.well-known/acme-challenge/TEst_File-1234
HTTP/1.1 301 Moved Permanently
Date: Thu, 02 Mar 2023 02:03:23 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 62
Connection: keep-alive
Location: http://www.awesomehalal.com   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
<a href='http://www.awesomehalal.com'>Moved Permanently</a>.
2 Likes

Did you see my post:
[not same IPs]

OR
Do you mean "should" as that is the "fix" that should be applied to best correct this problem?

4 Likes

Yes, I agree with you the poster used imprecise language.

But, my point is that in Namecheap's control panel I'm pretty sure the URL Forward feature is part of the DNS Section.

It has been many years since I used Namecheap but I remember it being confusing. I'm not surprised someone else could misunderstand what that really did.

And, yes, when I say their DNS "should" point to their actual server that is the fix. I said as much in post #2 also.

The only reason I added "probably" in post #2 is in case they ultimately have two separate servers. Then, of course, each DNS should point to its own respective server and one Certbot --nginx command can't include them both. In any case, neither should be using the URL Forward service.

4 Likes

Thank you all very much. I now have the domains successfully added to the SSL certificate. Currently, however, the gyro domain only redirects when http is entered, not https. I've tried to modify the certbot-generated config based on answers I've seen elsewhere, but not quite there yet. Note my changes to the return 301 statements for the gyro domain:

server {
    #index index.html index.nginx-debian.html;

    server_name awesomehalal.com www.awesomehalal.com awesomehalalandgyro.com www.awesomehalalandgyro.com;

    location /static {
        alias /home/danny/awesomehalal/app/static;
    }

    location / {
        proxy_pass http://localhost:8000;
        include /etc/nginx/proxy_params;
        proxy_redirect off;
    }

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/awesomehalal.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/awesomehalal.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = www.awesomehalalandgyro.com) {
        return 301 https://awesomehalal.com$request_uri;
    } # managed by Certbot


    if ($host = awesomehalalandgyro.com) {
        return 301 https://awesomehalal.com$request_uri;
    } # managed by Certbot


    if ($host = www.awesomehalal.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = awesomehalal.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name awesomehalal.com www.awesomehalal.com awesomehalalandgyro.com www.awesomehalalandgyro.com;
    listen 80;
    return 404; # managed by Certbot
}

You can effectively shrink all this:

Down to just this:

server {
    server_name awesomehalal.com www.awesomehalal.com awesomehalalandgyro.com www.awesomehalalandgyro.com;
    listen 80;
    return 301 https://awesomehalal.com$request_uri;
}

That said, I think the reason for your problem is that the server block shown isn't being used.
I suspect there is some other block that overlaps and precedes this one in the configuration.

The parts of the configs show in your first post lack the "listen 80;" statement line.
So, how about we have a look at the entire nginx config, with:
nginx -T

3 Likes

You will need to add the above in your server block for https (port 443) too if you want to redirect from "gyro" to the other. Could remove the "managed by Certbot" comment so you don't forget you did this manually :slight_smile:

4 Likes

MikeMcQ that makes perfect sense, I'm sure that will fix my issue.

rg305 for the sake of my/others' understanding, as well as code efficiency, I'd like to explore your solution as well. Here is my nginx -T:

sudo nginx -T
[sudo] password for danny:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/awesomehalal:
server {
    #index index.html index.nginx-debian.html;

    server_name awesomehalal.com www.awesomehalal.com awesomehalalandgyro.com www.awesomehalalandgyro.com;

    location /static {
        alias /home/danny/awesomehalal/app/static;
    }

    location / {
        proxy_pass http://localhost:8000;
        include /etc/nginx/proxy_params;
        proxy_redirect off;
    }

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;



    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/awesomehalal.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/awesomehalal.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = www.awesomehalalandgyro.com) {
        return 301 https://awesomehalal.com$request_uri;
    } # managed by Certbot


    if ($host = awesomehalalandgyro.com) {
        return 301 https://awesomehalal.com$request_uri;
    } # managed by Certbot


    if ($host = www.awesomehalal.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = awesomehalal.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot



    server_name awesomehalal.com www.awesomehalal.com awesomehalalandgyro.com www.awesomehalalandgyro.com;
    listen 80;
    return 404; # managed by Certbot

}

# configuration file /etc/nginx/proxy_params:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "not-sure-if-this-is-sensitive-info";

What happened to these server blocks?
[I don't see them in that output]

2 Likes

They are not.

4 Likes

I consolidated them in my later reply:

I think I see how you can do what you want.
Change this part:

To these two parts:

server {
    server_name awesomehalalandgyro.com www.awesomehalalandgyro.com;

    return 301 https://awesomehalal.com$request_uri;

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/awesomehalal.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/awesomehalal.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    #index index.html index.nginx-debian.html;

    server_name awesomehalal.com www.awesomehalal.com;

    location /static {
        alias /home/danny/awesomehalal/app/static;
    }

    location / {
        proxy_pass http://localhost:8000;
        include /etc/nginx/proxy_params;
        proxy_redirect off;
    }

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/awesomehalal.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/awesomehalal.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
2 Likes

Thank you guys. Given that both solutions require repeated information in each server block, I stuck to the first one, which was closer to what I already had. Working great. Here's my final config file – even removed "managed by Certbot" on lines I had edited :slight_smile:

server {
    #index index.html index.nginx-debian.html;

    server_name awesomehalal.com www.awesomehalal.com awesomehalalandgyro.com www.awesomehalalandgyro.com;

    if ($host = www.awesomehalalandgyro.com) {
        return 301 https://awesomehalal.com$request_uri;
    }


    if ($host = awesomehalalandgyro.com) {
        return 301 https://awesomehalal.com$request_uri;
    }


    location /static {
        alias /home/danny/awesomehalal/app/static;
    }

    location / {
        proxy_pass http://localhost:8000;
        include /etc/nginx/proxy_params;
        proxy_redirect off;
    }

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/awesomehalal.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/awesomehalal.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = www.awesomehalalandgyro.com) {
        return 301 https://awesomehalal.com$request_uri;
    }

    if ($host = awesomehalalandgyro.com) {
        return 301 https://awesomehalal.com$request_uri;
    }


    if ($host = www.awesomehalal.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = awesomehalal.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name awesomehalal.com www.awesomehalal.com awesomehalalandgyro.com www.awesomehalalandgyro.com;
    listen 80;
    return 404; # managed by Certbot

}

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.