Unable to create SSL certificate for my domain

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:www.barkatstravelcrafters.com

I ran this command: sudo certbot --nginx --agree-tos -n -d www.barkatstravelcrafters.com

It produced this output:
Failed authorization procedure. www.barkatstravelcrafters.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: During secondary validation: Invalid response from https://www.barkatstravelcrafters.com/.well-known/acme-challenge/9hEj_HfQimKkDMHr38ntlU7q-mUYEpzZolRdaexYtGE [3.6.147.154]: "<!doctype html><html lang="en"><meta charset="utf-8"/><link rel="shortcut icon" href="/android-icon-96x96.png"/><meta name"

IMPORTANT NOTES:

My web server is (include version): Nginx nginx/1.10.3

The operating system my web server runs on is (include version): Debian GNU/Linux 9.5 (stretch)

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like
2

3 posts were split to a new topic: Renew the certificate for my mail server

3

Hi @shrawan.lal, and welcome to the LE community forum :slight_smile:

Your config is not handling the challenge requests as expected.
When using --nginx it should have automatically handled the request within HTTP.
But we see the failed request is via HTTPS; which means it was redirected (and not handled correctly).
Please show us the nginx config with the output of:
sudo nginx -T

1 Like
4

It seems you were able to obtain a cert:
crt.sh | www.barkatstravelcrafters.com

1 Like
5

The again same issue coming up for www.urtripventure.com. Below is my Ngnix Conf file.
Same error coming again and again for my different website also, But by trying multiple times it gets resolved automatically. Not sure what is the issue. Thanks in Advance.

server {
listen 80;
server_name urtripventure.com www.urtripventure.com;
return 301 https://www.urtripventure.com$request_uri;
}

server {
listen 443 ssl;
server_name urtripventure.com;
return 301 https://www.urtripventure.com$request_uri;
ssl_certificate /etc/letsencrypt/live/urtripventure.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/urtripventure.com/privkey.pem; # managed by Certbot

}

server {
listen 443 ssl;
server_name www.urtripventure.com;

location ~*  \.(jpg|jpeg|png|gif|ico|css|js|pdf|mp4)$ {
    autoindex on;
    root /home/admin/production/mytripkart_node/mytripkart/build/;
    try_files $uri $uri /index.html?args;
}

location / {
    proxy_pass http://127.0.0.1:3000/urtripventure.com/;
}

ssl_certificate /etc/letsencrypt/live/www.urtripventure.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.urtripventure.com/privkey.pem; # managed by Certbot

}

1 Like
6

You need to add a location block to handle the ACME challenge requests.
Now:
All HTTP redirects to HTTPS.
All HTTPS is proxied to port 3000.

1 Like
7

Hi RG305,

I am trying to install SSL for another domain www.northclubhouse.com with the below command, it throws an SSL error.

sudo certbot --nginx -d www.northclubhouse.com

Even I checked acme-challenge, it's properly opening in my browser. And it's has been more than a week when I set "A" record.

http://www.northclubhouse.com/.well-known/acme-challenge/Qh4Bkv6b664qCHFc4CI0zOPf9BmzEn7I8RRWEfYwPj0

Screenshot from 2021-07-16 07-16-52
Screenshot from 2021-07-16 07-16-521366×768 63.3 KB

certbot.errors.FailedChallenges: Failed authorization procedure. www.northclubhouse.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: During secondary validation: Invalid response from http://www.northclubhouse.com/.well-known/acme-challenge/Qh4Bkv6b664qCHFc4CI0zOPf9BmzEn7I8RRWEfYwPj0 [3.6.147.154]: "\r\n404 Not Found\r\n<body bgcolor="white">\r\n

404 Not Found

\r\n
"

Here is Nginx file:

server {
listen 80;
server_name northclubhouse.com www.northclubhouse.com;
location ^~ /.well-known/acme-challenge/ {
alias /var/www/html/acme-challenge/;
}
root /var/www/html;

}

When I checked in letsdebug.net, It's comming all okay.

All OK!

OK

No issues were found with www.northclubhouse.com. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

Below is the error which I am getting.

IMPORTANT NOTES:

1 Like
8

Make that:

location /.well-known/acme-challenge/ {
root /var/www/html/acme-challenge/;
try_files $uri 404;
}

And we can test it with:

echo "test file 1" > /var/www/html/acme-challenge/test-file-1234
mkdir /var/www/html/acme-challenge/.well-known
mkdir /var/www/html/acme-challenge/.well-known/acme-challenge
echo "test file 2" > /var/www/html/acme-challenge/.well-known/acme-challenge/test-file-4321
http://www.northclubhouse.com/.well-known/acme-challenge/test-file-1234
http://www.northclubhouse.com/.well-known/acme-challenge/test-file-4321

EDIT: UPDATED TEST PROCEDURE

1 Like
9

I done the requested change...

Now I can see:

http://www.northclubhouse.com/.well-known/acme-challenge/test-file-4321

this URL is working. Should I proceed with SSL install or you are going to test something?

2 Likes
10

Yes.

1 Like
11

Still getting same error:

sudo certbot --nginx -d www.northclubhouse.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.northclubhouse.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.northclubhouse.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: During secondary validation: Invalid response from Cheapest flight ticket & Holidays package [3.6.147.154]: "\r\n404 Not Found\r\n<body bgcolor="white">\r\n

404 Not Found

\r\n
"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.northclubhouse.com
    Type: unauthorized
    Detail: During secondary validation: Invalid response from
    Cheapest flight ticket & Holidays package
    [3.6.147.154]: "\r\n404 Not
    Found\r\n<body bgcolor="white">\r\n

    404
    Not Found

    \r\n
    "

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

1 Like
12

Try:

sudo certbot --nginx --webroot -w /var/www/html/acme-challenge -d "northclubhouse.com,www.northclubhouse.com"
1 Like
13

Now SSL installed... after trying multiple attempts it installed... Not sure what is wrong here.

1 Like
14

By running above command I got below error.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Too many flags setting configurators/installers/authenticators 'nginx' -> 'webroot'

1 Like
15

Try -i nginx -a webroot in stead of --nginx --webroot.

2 Likes
16

Run same command for other domain... Got below error:

IMPORTANT NOTES:

1 Like
17

The FQDN has IPv4 and IPv6 entries.
But they don't return the same thing:

curl -I4 http://esmetour.com/
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Sat, 17 Jul 2021 17:23:48 GMT
Content-Type: text/html
Content-Length: 1474
Last-Modified: Sat, 04 Apr 2020 10:32:07 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5e886227-5c2"
Accept-Ranges: bytes

curl -I6 http://esmetour.com/
HTTP/1.1 301 Moved Permanently
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
date: Sat, 17 Jul 2021 17:23:57 GMT
server: LiteSpeed
location: https://esmetour.com/

curl -I4 http://www.esmetour.com/
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Sat, 17 Jul 2021 17:24:06 GMT
Content-Type: text/html
Content-Length: 1474
Last-Modified: Sat, 04 Apr 2020 10:32:07 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5e886227-5c2"
Accept-Ranges: bytes

curl -I6 http://www.esmetour.com/
HTTP/1.1 301 Moved Permanently
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
date: Sat, 17 Jul 2021 17:24:15 GMT
server: LiteSpeed
location: https://www.esmetour.com/

Are they going to the same server?

1 Like
18

Even the certs used show the difference:

curl -4 https://www.esmetour.com/
curl: (51) SSL: no alternative certificate subject name matches target host name 'www.esmetour.com'

curl -4 https://esmetour.com/
curl: (51) SSL: no alternative certificate subject name matches target host name 'esmetour.com'

curl -6 https://www.esmetour.com/
curl: (60) SSL certificate problem: certificate has expired

curl -6 https://esmetour.com/
curl: (60) SSL certificate problem: certificate has expired
1 Like
19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.