Sslforfree.com does not work


#1

My domain is: unlm.ga

I want to secure my site using Let’s Encrypt but I do not use cpanel and i don’t have SSH access. I do however, have a place where I can install my own certificate. None of that is important, basically, I go to sslforfree.com to get a certificate and it doesn’t matter whether i do ftp details, upload a file, or try dns verification, each time it gives me an error. This happens with every other one of my domains. How do I get around this?

EDIT: whenever i do a file upload, and test the files, i see the plain text values. but i still get an error. try http://unlm.ga/.well-known/acme-challenge/NODQmHz4CIlu6BOdj9Xd73EyyOgQ91GC966ibPefkNY and http://www.unlm.ga/.well-known/acme-challenge/VHxZDKxZ0LDjOiGZr1NK522n7tU--tmO88Il83pk3jY and you will see them as i do

EDIT 2: this is the error with file upload “Domain “unlm.ga” challenge3 failed. { “type”: “http-01”, “status”: “invalid”, “error”: { “type”: “urn:acme:error:unauthorized”, “detail”: “Invalid response from http://unlm.ga/.well-known/acme-challenge/NODQmHz4CIlu6BOdj9Xd73EyyOgQ91GC966ibPefkNY: “\u003chtml\u003e\u003cbody\u003e\u003cscript type=“text/javascript” src=”/aes.js” \u003e\u003c/script\u003e\u003cscript\u003efunction toNumbers(d){var e=[];d.replace(/(…)/g,func”", “status”: 403 }, “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/547_Me22ZWhA3jFGMa9IidVSu35z_CnzykNv4w5okMg/516660357”, “token”: “NODQmHz4CIlu6BOdj9Xd73EyyOgQ91GC966ibPefkNY”, “keyAuthorization”: “NODQmHz4CIlu6BOdj9Xd73EyyOgQ91GC966ibPefkNY.dkY6mjQqSJdkNLUK4C5WPdjvSmGwVrbyjrKlD8nL5so”, “validationRecord”: [ { “url”: “http://unlm.ga/.well-known/acme-challenge/NODQmHz4CIlu6BOdj9Xd73EyyOgQ91GC966ibPefkNY”, “hostname”: “unlm.ga”, “port”: “80”, “addressesResolved”: [ “185.27.134.211” ], “addressUsed”: “185.27.134.211” } ] }"


#2

Do you or does your hosting provider have some kind of browser filtering? Because I can retreive your challenge perfectly when I click on the link you’ve provided in this post with Chromium (=Chrome), but when I try my Linux command line programs, I get:

osiris@server ~ $ curl -v http://unlm.ga/.well-known/acme-challenge/NODQmHz4CIlu6BOdj9Xd73EyyOgQ91GC966ibPefkNY
*   Trying 185.27.134.211...
* TCP_NODELAY set
* Connected to unlm.ga (185.27.134.211) port 80 (#0)
> GET /.well-known/acme-challenge/NODQmHz4CIlu6BOdj9Xd73EyyOgQ91GC966ibPefkNY HTTP/1.1
> Host: unlm.ga
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Server: nginx
< Date: Thu, 19 Jan 2017 02:57:25 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< Vary: Accept-Encoding
< 
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Curl_http_done: called premature == 0
* Connection #0 to host unlm.ga left intact
osiris@server ~ $ wget http://unlm.ga/.well-known/acme-challenge/NODQmHz4CIlu6BOdj9Xd73EyyOgQ91GC966ibPefkNY
--2017-01-19 03:56:12--  http://unlm.ga/.well-known/acme-challenge/NODQmHz4CIlu6BOdj9Xd73EyyOgQ91GC966ibPefkNY
Resolving unlm.ga... 185.27.134.211
Connecting to unlm.ga|185.27.134.211|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-01-19 03:56:12 ERROR 403: Forbidden.

osiris@server ~ $ 

So my guess is your hosting provider blocks requests from a “non-known” browser identification… Including the request from Let’s Encrypt… Why? I dunno… You should ask them.


#3

I don’t know what this particular host uses. Is there an IP I can try to whitelist?

EDIT: cannot whitelist, only block. why can’t it work over FTP? I don’t have a certificate for secure FTP so i get that error in FileZilla but that shouldnt make a difference right?


#4

The FTP option is only about how you get the file on your web host. That’s specific to sslforfree.com. The validation request sent from Let’s Encrypt is always made via HTTP.

If your host is unable to prevent this from happening, your best option would probably be the DNS verification. You mentioned that one didn’t work either - can you share the error you got with that? It would be different from the one you have with the HTTP challenge (since there’s no HTTP request involved, just a DNS query).


#5

Hmmm, I can’t use txt DNS with this domain, actually. I can only add CNAME and MX records. This type of hosting is meant for resellers but I use it for the high bandwidth limit.

I had an idea though - I can generate a CSR for the domain, but when I go to use it in sslforfree.com as soon as i start typing it goes away and reloads the page. This happens with Opera, Chrome, Safari, and Firefox for me. Is this a common issue, or am I just having troubles?


#6

It would technically be possible to get this done just with a CNAME record if you have a second domain and DNS server where you can create TXT records as well. You would basically create a CNAME record for _acme-challenge.example.com (where example.com is the domain you want to get a certificate for) and point it to the domain where you can create a TXT record with the challenge token. acme-dns wraps this up in a nice package.

I’m just including this option for completeness’ sake. I’m not sure if the complexity is worth it.

I don’t know about why this is happening, but providing your own CSR would not change the issue you have with domain validation. The domain would still have to be validated via that HTTP request or a DNS query. The only difference is that sslforfree.com does not generate the private key for you if you use the CSR option.


#7

Thank you for the second bit.

Basically what you’re saying is if I create a CNAME (_acme-challenge.unlm.ga) and point it to one of my other domains, I can create a TXT on that other domain and verify it.

I believe i have figured it, will reply if I need more assistance. Thank you very much for your time!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.