Unable to create cert on server where I've created many others

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
julieenglandart.com

I ran this command:
sudo letsencrypt certonly -a webroot --webroot-path /var/www/julieenglandart.com/wordpress -d www.julieenglandart.com -d julieenglandart.com
I’ve used this command many, many times to create ssl certificates. Can’t figure out why this one isn’t working!

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for julieenglandart.com
http-01 challenge for www.julieenglandart.com
Using the webroot path /var/www/julieenglandart.com/wordpress for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.julieenglandart.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.julieenglandart.com/.well-known/acme-challenge/nrmIr0VbNa4sf7zkfnRjNx76SztX0lobOibtfm4RCFM: Connection refused

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.julieenglandart.com
    Type: connection
    Detail: Fetching
    https://www.julieenglandart.com/.well-known/acme-challenge/nrmIr0VbNa4sf7zkfnRjNx76SztX0lobOibtfm4RCFM:
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):
for port 80:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2019-09-16T12:58:48
For port 443:
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-66-generic x86_64)

My hosting provider, if applicable, is:
Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

1 Like

Hi @kentpilkington

you have a redirect http -> https, so Letsencrypt follows that redirect.

But if this is your first certificate, your https doesn’t work. Remove the redirect.

Later (with a working configuration) you can use that (if http + https have the same webroot).

But checking your domain there is no redirect visible - https://check-your-website.server-daten.de/?q=julieenglandart.com

May be you have already removed the redirect.

1 Like

I had to change the A records for www and @ temporarily.

I found out where the redirect is coming from and was able to create the SSL certificate and enable the site on NGINX.

Unfortunately, I’m not encountering something that I’ve never seen before. All I get when I go to the site is SSL_ERROR_INTERNAL_ERROR_ALERT errors, but I don’t see anything in the nginx or php7.2-fpm logs.

Any ideas?

Kent Pilkington

ThinkByDesign, Inc., Owner

Local Visibility Agency, Co-Founder and Managing Partner

O: 972-885-8953

M: 512-699-1441

kentpilkington@thinkbydesign.com

kent@LocalVisibilityAgency.com

1 Like

Rechecked your domain there is no problem visible - https://check-your-website.server-daten.de/?q=julieenglandart.com

Grade E -> all connections are ok, the certificate has both domain names (non-www and www).

Your browser may have cached the other ip, but there is no working certificate -> SSL_ERROR_INTERNAL_ERROR_ALERT

1 Like