Following the steps in here https://gethttpsforfree.com I’m encountering problems in step 4 : “Verify Ownership”. I chose to verify the ownership using DNS Record:https://drive.google.com/open?id=1zdKHoytEIzRjRfTdP4hWVaQnZeuHnHVt
I added a DNS TXT record with name _acme-challenge and value m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU
According to my Domain Name Provider https://www.namecheap.com/support/knowledgebase/article.aspx/767/10/how-to-change-dns-for-a-domain Namecheap BasicDNS my hosting nameservers are:dns1.namecheaphosting.com dns2.namecheaphosting.com
marco@pc01:~/go/src/MyPage$ dig +short dns1.namecheaphosting.com _acme-challenge.www.ggc.world TXT
Looking forward to your kind help.
Hi @marcoippolito
these are not your name servers.
Checked your domain via https://check-your-website.server-daten.de/?q=ggc.world
Your ip address:
Host
T
IP-Address
is auth.
∑ Queries
∑ Timeout
ggc.world
A
37.116.210.18
yes
1
0
AAAA
yes
www.ggc.world
A
37.116.210.18
yes
1
0
AAAA
yes
Your name servers:
Domain Nameserver NS-IP
www.ggc.world
• dns1.registrar-servers.com
•
ggc.world
• dns1.registrar-servers.com
216.87.155.33 •
•
2620:74:19::33 •
• dns2.registrar-servers.com
216.87.152.33 •
•
2001:502:cbe4::33 •
There is one - perhaps old - correct dns TXT entry:
Domainname
TXT Entry
Status
∑ Queries
∑ Timeout
ggc.world
v=spf1 include:spf.efwd.registrar-servers.com ~all
ok
1
0
www.ggc.world
ok
1
0
_acme-challenge.ggc.world
m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU
looks good
1
0
_acme-challenge.www.ggc.world
Name Error - The domain name does not exist
1
0
The _acme-challenge.www.ggc.world doesn't exist.
I added _acme-challenge.www.ggc.world as DNS TXT Record:https://drive.google.com/open?id=1A7ZBGJBL0zSUwsZ6y42B2DE6-ymp0Xxl
And now:
marco@pc01:~/go/src/MyPage$ dig +short @dns1.registrar-servers.com _acme-
challenge.www.ggc.world TXT
marco@pc01:~/go/src/MyPage$
no error occur but nothing happens… is it correct or how should I proceed?
That's
the wrong entry (and)
I can't see that result, so it can't work
If you use such a menu, the context should add the domain. So the name must be
_acme-challenge
without the domain.
If you want a certificate with non-www and www, you have two different txt values. Not the same.
Rechecking your domain - https://check-your-website.server-daten.de/?q=ggc.world#txt - the result isn't visible.
Domainname
TXT Entry
Status
∑ Queries
∑ Timeout
ggc.world
v=spf1 include:spf.efwd.registrar-servers.com ~all
ok
1
0
www.ggc.world
ok
1
0
_acme-challenge.ggc.world
m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU
looks good
1
0
_acme-challenge.www.ggc.world
Name Error - The domain name does not exist
1
0
_acme-challenge.ggc.world.ggc.world
Name Error - The domain name does not exist
1
0
_acme-challenge.www.ggc.world.www.ggc.world
Name Error - The domain name does not exist
1
0
I see, I should update my tool. You have another type of wrong entry.
Checking that manual I can find it:
nslookup -type=TXT _acme-challenge.www.ggc.world.ggc.world.
_acme-challenge.www.ggc.world.ggc.world text =
"m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU"
It's a combination of www+domainname + domainname.
I’ve updated my tool. Now the wrong TXT entry is shown.
_acme-challenge + www + domainname + domainname (added from the menu).
JuergenAuer:
That’s
the wrong entry (and)
I can’t see that result, so it can’t work
If you use such a menu, the context should add the domain. So the name must be
_acme-challenge
without the domain.
If you want a certificate with non-www and www, you have two different txt values. Not the same.
Please forgive me... I do not understand how precisely to modify the entries in that menu:
for ggc.world : Type: TXT, Host: _acme-challenge, Value: m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU , which is the value indicated here: https://drive.google.com/open?id=1mlvpg2VEpHe5ozAkKZdijTDZrBtRnucg
for www.ggc.world: Type: TXT ,Host: _acme-challenge, and Value: ?
https://drive.google.com/open?id=1ipRzdOUd2eu-rlGwxSUruLN6J0Z3_8Xo
In your menu, the host must be
_acme-challenge.www
the menu adds your domain name, so the result is
_acme-challenge.www.ggc.world
If you want to create one certificate with two domain names (non-www and www), this tool gethttpsforfree.com (I don't use it) should create two different txt values.
If you have only one TXT value, you should start new.
But I don't know if that tool supports multiple domain names in one certificate.
JuergenAuer:
If you want to create one certificate with two domain names (non-www and www), this tool gethttpsforfree.com (I don’t use it) should create two different txt values.
If you have only one TXT value, you should start new.
But I don’t know if that tool supports multiple domain names in one certificate.
I thought that opening a new page of https://gethttpsforfree.com/ and repeating the whole 4 steps I would have obtained a new txt value. But the value I obtained is again exactly the same: m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU
So, with only 1 txt value, what should I do? What do you mean as starting new?https://drive.google.com/open?id=11viAJ5EclQnm5soMMqn9u4IwMaD1YDFQ
@JuergenAuer
I tried :
marco@pc01:~/go/src/MyPage$ dig +short @dns1.registrar-servers.com _acme-challenge.www.ggc.world TXT
is it correct or what should I modify in order to get the correct answer?
You have to add the two domain names in gethttpsforfree.com, not only one domain name.
Now it looks good.
If the site shows you the same TXT value, then this site works with the same order, that's good.
Try to finish it, then we will see if it works.
In theory, this (result of your last check)
Domainname
TXT Entry
Status
∑ Queries
∑ Timeout
ggc.world
v=spf1 include:spf.efwd.registrar-servers.com ~all
ok
1
0
www.ggc.world
ok
1
0
_acme-challenge.ggc.world
m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU
looks good
1
0
_acme-challenge.www.ggc.world
m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU
looks good
1
0
is wrong, because two different domain names can't use the same value.
But if your order has only one domain name, Letsencrypt doesn't check the other domain name, so it's not critical.
Next steps results:
-> https://drive.google.com/open?id=10nEAYWCYDotinm4x_D9CHJLJjRkQrhEA Step06-01 Step06-02
Result:
marco@pc01:~/go/src/MyPage$ dig +short @dns1.registrar-servers.com _acme-
challenge.ggc.world TXT
"m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU"
"vQx5H9sjuDBHUeHuPZsRpQ4tgNvZ4PFQ4jaX13bj4Jo"
marco@pc01:~/go/src/MyPage$
So… it seems OK.
-> https://drive.google.com/open?id=1IuOMxzmchWWvXHzNpSKPm85cOas9S0hW
-> Certificate Generated: https://drive.google.com/open?id=1c4f7jXIP2IAhkEFsZXtMwNq7vtfqwrfL
-> Certificate Installation:
-> /etc/nginx/conf.d/default.conf :https://drive.google.com/open?id=15mzZtydYlsfKO5v7vnuy9yzoD8MJ3CC-
Clicking “Test Install”: https://drive.google.com/open?id=1UiUgr_3_DEYUzkHRsI_MLz2hmO9ubRAB
it fails:
" Unable to connect to server - failed to connect to the server, it usually happens due to firewall restrictions"
But:
marco@pc01:~/go/src/MyPage$ sudo ufw status
Status: inactive
and also in the laptop I’m using to connect to the server :
riccardo@riccardo-HP-Laptop-15-da0xxx:~$ sudo ufw status
Status: inactive
So… @JuergenAuer which other reasons can cause "Assessment failed: Unable to connect to the server " ?
And the Internet Service Provider’s Firewall Settings are the following (no firewall !!) :
@JuergenAuer The certificate has been sent: https://drive.google.com/open?id=1tJoli0dEfHi42JJ2TAVYK9h4PFF5-fPm
Now I do have to understand why when connecting to https://ggc.world with my smartphone it says “The Website cannot give a secure connection”
Now you have created a correct certificate ( https://check-your-website.server-daten.de/?q=ggc.world#ct-logs ):
CertSpotter-Id
Issuer
not before
not after
Domain names
LE-Duplicate
next LE
903902480 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US
2019-05-10 09:50:09
2019-08-08 09:50:09
ggc.world, www.ggc.world
2 entries
duplicate nr. 1
But I don’t see something about your configuration, only timeouts:
If this is a home server, you may need a port forwarding port 80 extern -> port 80 intern, same with port 443.
And first check (with curl or another tool) if your webserver / port 443 works internal.
At first glance it seems working now: https://drive.google.com/open?id=1I8kQtZ8cq0uEjNffr_4hEcIL1Wt7ZHoJ
Anything else to check and verify?
Happy to see that it works.
I don't know. Because my tool sees only a blocking firewall ( https://check-your-website.server-daten.de/?q=ggc.world ):
Domainname
Http-Status
redirect
Sec.
G
• http://ggc.world/
37.116.210.18
-2
1.097
V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.116.210.18:80
• http://www.ggc.world/
37.116.210.18
-2
1.097
V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.116.210.18:80
• https://ggc.world/
37.116.210.18
-2
1.097
V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.116.210.18:443
• https://www.ggc.world/
37.116.210.18
-2
1.180
V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.116.210.18:443
Perhaps you should fix that, so you can use http-01 validation, so you don't need --manual.
/.well-known/acme-challenge/unknown-file has the same blocking answer, but that must answer if you want to use http-01 validation.
I do not understand two things:
where the firewall your tools detect come from, since the PC-Server, the laptop, and the Internet Service Provider’s Internet Configuration all do not have any firewall at all
with the nginx config file defined in https://gethttpsforfree.com/ in Step 5: Install Certificate() : https://drive.google.com/open?id=15mzZtydYlsfKO5v7vnuy9yzoD8MJ3CC- https://drive.google.com/open?id=1I8kQtZ8cq0uEjNffr_4hEcIL1Wt7ZHoJ
but when I try to modify the nginx config file in order to display on the web page the “proper” content I would like to instead of the “Hello”: https://drive.google.com/open?id=1eb2tvRl4RbK8VQ5qB8I_2PGu7K0yIf0o
“unable to connect” : https://drive.google.com/open?id=1p-_ENOiHM4JCaCOFl6hfs9zuH9kslezN
marcoippolito:
where the firewall your tools detect come from, since the PC-Server, the laptop, and the Internet Service Provider’s Internet Configuration all do not have any firewall at all
I don't know, it's your system. But earlier checks -> timeout, so a blocking answer
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.116.210.18:80
is better.
I don't understand that setup. There is a proxy defined, looks like you have two running webserver.
And why is Ssl on in your listen 80? Why is there no listen 443?
There are easier setups.
Perhaps you send your port 443 extern to your port 80 intern.
But I don't see something, I see only a blocking firewall.
@JuergenAuer with the following /etc/nginx/conf.d/default.conf configuration file, finally everything works fine :
server {
listen 80;
listen 443 ssl;
server_name ggc.world www.ggc.world;
ssl on;
ssl_certificate /etc/ssl/certs/chained.pem;
ssl_certificate_key /etc/ssl/private/domain.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-
draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
access_log /var/log/nginx/ggcworld-access.log combined;
add_header Strict-Transport-Security "max-age=31536000";
location = /favicon.ico { access_log off; log_not_found off; }
location / {
proxy_pass http://192.168.1.7:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Please, let me know if you still see with your tools firewalls settings.
1 Like
The tool is online. So you can use it to check your domain.
That's the reason I've created an online tool, not an offline tool (so I would be the only user).
