Step 4 "Verify Ownership" fails

Following the steps in here https://gethttpsforfree.com I’m encountering problems in step 4 : “Verify Ownership”. I chose to verify the ownership using DNS Record:
https://drive.google.com/open?id=1zdKHoytEIzRjRfTdP4hWVaQnZeuHnHVt

I added a DNS TXT record with name _acme-challenge and value m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU

According to my Domain Name Provider https://www.namecheap.com/support/knowledgebase/article.aspx/767/10/how-to-change-dns-for-a-domain
with Namecheap BasicDNS my hosting nameservers are:
dns1.namecheaphosting.com
dns2.namecheaphosting.com

marco@pc01:~/go/src/MyPage$ dig +short dns1.namecheaphosting.com _acme-challenge.www.ggc.world TXT
216.87.155.33
;; connection timed out; no servers could be reached

Looking forward to your kind help.
Marco

Hi @marcoippolito

these are not your name servers.

Checked your domain via https://check-your-website.server-daten.de/?q=ggc.world

Your ip address:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
ggc.world A 37.116.210.18 yes 1 0
AAAA yes
www.ggc.world A 37.116.210.18 yes 1 0
AAAA yes

Your name servers:

Domain	Nameserver	NS-IP
www.ggc.world
	•  dns1.registrar-servers.com
		•
ggc.world
	•  dns1.registrar-servers.com
	216.87.155.33	•

	• 
	2620:74:19::33	•

	•  dns2.registrar-servers.com
	216.87.152.33	•

	• 
	2001:502:cbe4::33	•

There is one - perhaps old - correct dns TXT entry:

9. TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
ggc.world v=spf1 include:spf.efwd.registrar-servers.com ~all ok 1 0
www.ggc.world ok 1 0
_acme-challenge.ggc.world m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU looks good 1 0
_acme-challenge.www.ggc.world Name Error - The domain name does not exist 1 0

The _acme-challenge.www.ggc.world doesn’t exist.

I added _acme-challenge.www.ggc.world as DNS TXT Record:
https://drive.google.com/open?id=1A7ZBGJBL0zSUwsZ6y42B2DE6-ymp0Xxl

And now:

marco@pc01:~/go/src/MyPage$ dig +short @dns1.registrar-servers.com _acme-
challenge.www.ggc.world TXT
marco@pc01:~/go/src/MyPage$ 

no error occur but nothing happens… is it correct or how should I proceed?

That’s

  • the wrong entry (and)
  • I can’t see that result, so it can’t work

If you use such a menu, the context should add the domain. So the name must be

_acme-challenge

without the domain.

If you want a certificate with non-www and www, you have two different txt values. Not the same.

Rechecking your domain - https://check-your-website.server-daten.de/?q=ggc.world#txt - the result isn’t visible.

9. TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
ggc.world v=spf1 include:spf.efwd.registrar-servers.com ~all ok 1 0
www.ggc.world ok 1 0
_acme-challenge.ggc.world m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU looks good 1 0
_acme-challenge.www.ggc.world Name Error - The domain name does not exist 1 0
_acme-challenge.ggc.world.ggc.world Name Error - The domain name does not exist 1 0
_acme-challenge.www.ggc.world.www.ggc.world Name Error - The domain name does not exist 1 0

I see, I should update my tool. You have another type of wrong entry.

Checking that manual I can find it:

nslookup -type=TXT _acme-challenge.www.ggc.world.ggc.world.

_acme-challenge.www.ggc.world.ggc.world text =

    "m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU"

It’s a combination of www+domainname + domainname.

I’ve updated my tool. Now the wrong TXT entry is shown.

_acme-challenge + www + domainname + domainname (added from the menu).

Please forgive me… I do not understand how precisely to modify the entries in that menu:

  • for ggc.world : Type: TXT, Host: _acme-challenge, Value: m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU , which is the value indicated here: https://drive.google.com/open?id=1mlvpg2VEpHe5ozAkKZdijTDZrBtRnucg

  • for www.ggc.world: Type: TXT ,Host: _acme-challenge, and Value: ?
    how can I get a new value to put into Value field for www.ggc.world ? :

In your menu, the host must be

_acme-challenge.www

the menu adds your domain name, so the result is

_acme-challenge.www.ggc.world

If you want to create one certificate with two domain names (non-www and www), this tool gethttpsforfree.com (I don’t use it) should create two different txt values.

If you have only one TXT value, you should start new.

But I don’t know if that tool supports multiple domain names in one certificate.

I thought that opening a new page of https://gethttpsforfree.com/ and repeating the whole 4 steps I would have obtained a new txt value. But the value I obtained is again exactly the same: m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU

So, with only 1 txt value, what should I do? What do you mean as starting new?
I changed the host as _acme-challenge.www : https://drive.google.com/open?id=11viAJ5EclQnm5soMMqn9u4IwMaD1YDFQ
But I do not understand what to do if I have two hosts, _acme-challenge and _acme-challenge.www, but only 1 txt value

@JuergenAuer

I tried :

marco@pc01:~/go/src/MyPage$ dig +short @dns1.registrar-servers.com _acme-challenge.www.ggc.world TXT
“m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU”
marco@pc01:~/go/src/MyPage$

is it correct or what should I modify in order to get the correct answer?

You have to add the two domain names in gethttpsforfree.com, not only one domain name.

Now it looks good.

If the site shows you the same TXT value, then this site works with the same order, that’s good.

Try to finish it, then we will see if it works.

In theory, this (result of your last check)

9. TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
ggc.world v=spf1 include:spf.efwd.registrar-servers.com ~all ok 1 0
www.ggc.world ok 1 0
_acme-challenge.ggc.world m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU looks good 1 0
_acme-challenge.www.ggc.world m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU looks good 1 0

is wrong, because two different domain names can’t use the same value.

But if your order has only one domain name, Letsencrypt doesn’t check the other domain name, so it’s not critical.

Next steps results:

-> https://drive.google.com/open?id=10nEAYWCYDotinm4x_D9CHJLJjRkQrhEA
-> : - Step06-01
- Step06-02

Result:

marco@pc01:~/go/src/MyPage$ dig +short @dns1.registrar-servers.com _acme- 
challenge.ggc.world TXT
"m_ZQ6A0hHS7J_kKBxmh2NBZitftxcfqVhCD5gmw32cU"
"vQx5H9sjuDBHUeHuPZsRpQ4tgNvZ4PFQ4jaX13bj4Jo"
marco@pc01:~/go/src/MyPage$ 

So… it seems OK.

-> https://drive.google.com/open?id=1IuOMxzmchWWvXHzNpSKPm85cOas9S0hW

-> Certificate Generated: https://drive.google.com/open?id=1c4f7jXIP2IAhkEFsZXtMwNq7vtfqwrfL

-> Certificate Installation:

-> /etc/nginx/conf.d/default.conf :
https://drive.google.com/open?id=15mzZtydYlsfKO5v7vnuy9yzoD8MJ3CC-

Clicking “Test Install”: https://drive.google.com/open?id=1UiUgr_3_DEYUzkHRsI_MLz2hmO9ubRAB

it fails:

" Unable to connect to server - failed to connect to the server, it usually happens due to firewall restrictions"

But:

marco@pc01:~/go/src/MyPage$ sudo ufw status
Status: inactive

and also in the laptop I’m using to connect to the server :

riccardo@riccardo-HP-Laptop-15-da0xxx:~$ sudo ufw status
Status: inactive 

So… @JuergenAuer which other reasons can cause "Assessment failed: Unable to connect to the server " ?

And the Internet Service Provider’s Firewall Settings are the following (no firewall !!) :

@JuergenAuer The certificate has been sent: https://drive.google.com/open?id=1tJoli0dEfHi42JJ2TAVYK9h4PFF5-fPm

Now I do have to understand why when connecting to https://ggc.world with my smartphone it says “The Website cannot give a secure connection”

Now you have created a correct certificate ( https://check-your-website.server-daten.de/?q=ggc.world#ct-logs ):

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
903902480 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-10 09:50:09 2019-08-08 09:50:09 ggc.world, www.ggc.world
2 entries duplicate nr. 1

But I don’t see something about your configuration, only timeouts:

Domainname Http-Status redirect Sec. G
http://ggc.world/
37.116.210.18 -14 10.023 T
Timeout - The operation has timed out
http://www.ggc.world/
37.116.210.18 -14 10.023 T
Timeout - The operation has timed out
https://ggc.world/
37.116.210.18 -14 10.030 T
Timeout - The operation has timed out
https://www.ggc.world/
37.116.210.18 -14 10.027 T
Timeout - The operation has timed out

If this is a home server, you may need a port forwarding port 80 extern -> port 80 intern, same with port 443.

And first check (with curl or another tool) if your webserver / port 443 works internal.

At first glance it seems working now: https://drive.google.com/open?id=1I8kQtZ8cq0uEjNffr_4hEcIL1Wt7ZHoJ

Anything else to check and verify?

Happy to see that it works.

I don’t know. Because my tool sees only a blocking firewall ( https://check-your-website.server-daten.de/?q=ggc.world ):

Domainname Http-Status redirect Sec. G
http://ggc.world/
37.116.210.18 -2 1.097 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.116.210.18:80
http://www.ggc.world/
37.116.210.18 -2 1.097 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.116.210.18:80
https://ggc.world/
37.116.210.18 -2 1.097 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.116.210.18:443
https://www.ggc.world/
37.116.210.18 -2 1.180 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.116.210.18:443

Perhaps you should fix that, so you can use http-01 validation, so you don’t need --manual.

/.well-known/acme-challenge/unknown-file has the same blocking answer, but that must answer if you want to use http-01 validation.

I do not understand two things:

  1. where the firewall your tools detect come from, since the PC-Server, the laptop, and the Internet Service Provider’s Internet Configuration all do not have any firewall at all

  2. with the nginx config file defined in https://gethttpsforfree.com/ in Step 5: Install Certificate() : https://drive.google.com/open?id=15mzZtydYlsfKO5v7vnuy9yzoD8MJ3CC-
    I get this webpage: https://drive.google.com/open?id=1I8kQtZ8cq0uEjNffr_4hEcIL1Wt7ZHoJ

but when I try to modify the nginx config file in order to display on the web page the “proper” content I would like to instead of the “Hello”: https://drive.google.com/open?id=1eb2tvRl4RbK8VQ5qB8I_2PGu7K0yIf0o

“unable to connect” : https://drive.google.com/open?id=1p-_ENOiHM4JCaCOFl6hfs9zuH9kslezN

I don’t know, it’s your system. But earlier checks -> timeout, so a blocking answer

ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.116.210.18:80

is better.

I don’t understand that setup. There is a proxy defined, looks like you have two running webserver.

And why is Ssl on in your listen 80? Why is there no listen 443?

There are easier setups.

Perhaps you send your port 443 extern to your port 80 intern.

But I don’t see something, I see only a blocking firewall.

@JuergenAuer with the following /etc/nginx/conf.d/default.conf configuration file, finally everything works fine :

server {
    listen 80;
    listen 443 ssl;
    server_name  ggc.world www.ggc.world;

    ssl on;
    ssl_certificate /etc/ssl/certs/chained.pem;
    ssl_certificate_key /etc/ssl/private/domain.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20- 
    draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }
    location / {
         proxy_pass http://192.168.1.7:8080;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
    }
}

Please, let me know if you still see with your tools firewalls settings.

1 Like

The tool is online. So you can use it to check your domain.

That’s the reason I’ve created an online tool, not an offline tool (so I would be the only user).