Trouble with getssl running on webserver itself

I am trying to use getssl to automate the certificates, running it on the webserver itself.

It's a cloud instance with multiple interfaces and split-horizon, so I have this as the ~/.getssl/getssl.cfg file (decommented):

CA="https://acme-staging-v02.api.letsencrypt.org"
ACCOUNT_EMAIL="webmaster@jinkosystems.co.uk"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/home/jason/.getssl/account.key"
PRIVATE_KEY_ALG="rsa"
RELOAD_CMD="systemctl reload nginx.service"
RENEW_ALLOW="30"
SERVER_TYPE="https"
CHECK_REMOTE="true"
PUBLIC_DNS_SERVER="8.8.8.8"
AUTH_DNS_SERVER="205.251.198.77"

The DNS is hosted at Amazon AWS Route53 and the AUTH_DNS_SERVER is one of the Amazon DNS servers. Is this correct?

This is my decommented ~/.getssl/jinkosystems.co.uk/getssl.cfg file:

SANS="www.jinkosystems.co.uk"
ACL='/srv/www/jinkosystems.co.uk/web/.well-known/acme-challenge'
USE_SINGLE_ACL="true"

Now when I run getssl I get error:

% getssl jinkosystems.co.uk
jinkosystems.co.uk: DNS lookup failed for www.jinkosystems.co.uk
getssl: jinkosystems.co.uk: exiting due to config errors

^^ This is the problem I am asking about. Why can't it see the CNAME record for www.jinkosystems.co.uk?
If I comment out the SANS="www.jinkosystems.co.uk" line, I get this:

% getssl jinkosystems.co.uk
jinkosystems.co.uk: no certificate obtained from host
Registering account
Verify each domain
Verifying jinkosystems.co.uk
copying challenge token to /srv/www/jinkosystems.co.uk/web/.well-known/acme-challenge/KAs45T-REDACTED__3giqrvZadyBJ-9IIIe0
getssl: for some reason could not reach http://jinkosystems.co.uk/.well-known/acme-challenge/KAs45T-REDACTED__3giqrvZadyBJ-9IIIe0 - please check it manually

I suspect this could be due to not having enabled the file in SELinux, but I haven't got this far yet.

Yeah if you were using a DNS Challenge but you are using an HTTP Challenge so this option is not needed.

I don't see anything wrong with your DNS. And, I can connect to your nginx server just fine from the public internet (see Let's Debug result here).

What results do you get from these commands on that server? I am not sure which DNS lookup getssl uses but dig result should be helpful anyway.

dig +noall +answer A www.jinkosystems.co.uk
dig +noall +answer A jinkosystems.co.uk

curl -I http://www.jinkosystems.co.uk
curl -I http://jinkosystems.co.uk

After these curl commands do you see anything in your nginx access_log?

ALSO:
What happens if you just replace the CNAME with an explicit A record? Are you able to issue a cert with both names in it? If so, and the above dig commands work, you should report that to the getssl github.

Hi jason404

I can't see anything obviously wrong with your config.

Can you run getssl --debug and either post the log here or on the getssl github tracker and I'll take a look.

Tim
getssl maintainer

This redirect seems rather pointless:

curl -Ii http://jinkosystems.co.uk/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently
Server: nginx/1.24.0
Date: Mon, 08 Jan 2024 21:09:46 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: http://www.jinkosystems.co.uk/.well-known/acme-challenge/Test_File-1234

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.