Ssl verification - godaddy cpanel server - ACME client is certbot


#1

so, i am trying to install Lets Encrypt ssl certificate on go daddy server and have followed the steps as below
’------------------------------------------------------------------------
Web Service Provider = Godaddy
Web Server : CPanel on Linux
Domain : www.99anchors.com, dev.new.citykites.com
SSH enabled
’------------------------------------------------------------------------
My local machine is Mac OS X on Sierra.
I have installed Certbot on my local machine
’------------------------------------------------------------------------
followed the steps as mentioned here>
https://isabelcastillo.com/lets-encrypt-ssl-certificate-godaddy-shared-cpanel
used command sudo certbot --apache certonly

Got the error as below

Obtaining a new certificate
        Performing the following challenges:
        tls-sni-01 challenge for dev.new.citykites.com
        No vhost exists with servername or alias of: dev.new.citykites.com (or it's in a file with multiple vhosts, which Certbot can't parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
        Falling back to default vhost *:443...
        Waiting for verification...
        Cleaning up challenges
        Failed authorization procedure. dev.new.citykites.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 420317859e2dcfbf5fa9d75aa.acme.invalid from XXX.XXX.71.135:443. Received 2 certificate(s), first certificate had names "*.prod.phx3.secureserver.net, prod.phx3.secureserver.net"

   Domain: dev.new.citykites.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
   Requested
   42037d168226d109940f0dacfbf5fa9d75aa.acme.invalid
   from XXX.XXX.71.135:443. Received 2 certificate(s), first
   certificate had names "*.prod.phx3.secureserver.net,
   prod.phx3.secureserver.net"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

so its actually giving me some hints ofcourse that I failed the challenge and certbot was not able to download some file from the webserver…
question is… what kind of file is it looking for and how can upload it myself so certbot can download it from my local machine?
I have access to SSH.
any help would be appreciated.
Thank you so much


Godaddy - ssh certification for subdomain - help
Godaddy - ssh certification for subdomain - help
#2

The command certbot --apache certonly isn’t in that how-to? They say to use --manual.


#3

Here is a guide:


#4

Hi @sachy123,

The command you ran is only applicable or useful if you’re running Certbot on your server, not on your local machine. The errors that you saw are because Certbot expected to be able to directly modify the configuration of Apache on your server. Since it was running on your local machine instead, it couldn’t do so.

It seems like this problem is coming up more and more often so maybe we should try to do more to figure out why so many people are trying to run Certbot on their local machines (especially with --apache in particular). There are forms of certbot --manual that can be useful when run on your local machine, and that will give you files to upload to your web server.


#5

Thank you!!
I ran sudo certbot certonly --manual
also entered the domain names correctly and followed exactly the steps mentioned
e.g it asks me to ensure that the file is accessible from
http://www.99anchors.com/.well-known/acme-challenge/xxxxlongcode

so I created the file , as mentioned via ssh’ing in to the domain 99anchors, create directories, wellknown and acme challenge and printed the file xxxxlongcode inside acmechallenge

I got the error as below
IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: 99anchors.com
   Type:   unauthorized
   Detail: Invalid response from

:
"



<meta http-equiv=“content”

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

and yeah…
I tried to paste the url

http://99anchors.com/.well-known/acme-challenge/xxxlongcode
but ofcourse, my website is running there and initially my .htaccess was redircting all the requests to https… but…
i removed it, and still, it shows my file not found error because this is not the absolute path… I dont know what to do?
if you have any information about it please let me know.thanks


#6

Hi @sachy123,

When you said “create directories, wellknown and acme challenge”, did you forget the hyphen? It should be .well-known, and acme-challenge should be inside of it.

I didn’t understand what you meant by

Did you understand why the file wasn’t found? Did you create the /.well-known/acme-challenge/xxxlongcode file inside of your web root directory?

Edit: Also, if you can ssh to the web server, why don’t you run Certbot there instead of on your local machine? That is how Certbot is designed to be used, and it can even possibly make the changes to the site for you instead of making you make them manually.


#7

Yes the name of the folders are correct as .well-known and acme-challenge. and I created them under root. but then if it tries to verify via http, then my website cannot recognize the path because its not configured.

I tried installing certbot directly via ssh on the server but I received these errors

~]$ ./certbot-auto
"sudo" is not available, will use "su" for installation steps...
Sorry, I don't know how to bootstrap Certbot on your operating system!

You will need to bootstrap, configure virtualenv, and run pip install manually.
Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites
for more info.

#8

I am running Apache on Linux Server, as it says on my Godaddy Cpanel account.


#9

Linux version 2.6.32-673.26.1.lve1.4.18.el6.x86_64 (mockbuild@build.cloudlinux.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) ) #1 SMP Fri Oct 21 11:58:14 EDT 2016


#10

@Neilpang
Where do I install acme? on my local machine or on server?

Download and install acme.sh
on the server, I get permission denied.


#11

Hello @Neilpang
Strangely I got permission denied when I run
curl https://get.acme.sh | sh
and
mkdir bin
cd bin
wget
https://github.com/ZephrFish/static-tools/blob/master/netcat?raw=true -O nc
chmod +x nc

so is there a working procedure on how I can enable ssl certificate on godaddy shared panel?


#12

@sachy123

Usually your should install on the server.
Please paste the output here, so that I can help you.


#13

You should cd to your home dir first, then install:

cd ~

curl https://get.acme.sh | sh


#14

Here is a guide:


#15

Great !!
Thanks… hope all other steps will work out too. will let u know


#16

You don’t need to copy netcat, I think.

cd ~
export FORCE=1
curl https://get.acme.sh | sh

#17

I got this error unfortunately

[Fri Mar 10 03:34:11 MST 2017] Creating domain key
[Fri Mar 10 03:34:12 MST 2017] Multi domain='DNS:www.99anchors.com'
[Fri Mar 10 03:34:12 MST 2017] Getting domain auth token for each domain
[Fri Mar 10 03:34:12 MST 2017] Getting webroot for domain='99anchors.com'
[Fri Mar 10 03:34:12 MST 2017] Getting new-authz for domain='99anchors.com'
[Fri Mar 10 03:34:12 MST 2017] The new-authz request is ok.
[Fri Mar 10 03:34:12 MST 2017] Getting webroot for domain='www.99anchors.com'
[Fri Mar 10 03:34:12 MST 2017] Getting new-authz for domain='www.99anchors.com'
[Fri Mar 10 03:34:12 MST 2017] The new-authz request is ok.
[Fri Mar 10 03:34:12 MST 2017] Verifying:99anchors.com
[Fri Mar 10 03:34:15 MST 2017] 99anchors.com:Verify error:Invalid response from http://99anchors.com/.well-known/acme-challenge/how5Xabty_SJaZpY89X3OLT09dFDSko_yLm9v02lOqs: 
[Fri Mar 10 03:34:15 MST 2017] Please add '--debug' or '--log' to check more details.
[Fri Mar 10 03:34:15 MST 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

#18

So , my domain dev.new.citykites.com is verified!!!
but subdomain 99anchors.com cant be verified… what to do in this case?


#19

Is the domain 99anchors.com bound to the same web root folder as www.99anchors.com ?


#20

@Neilpang
Yes you are right. its pointing to the same root folder as www.99anchors.com