Unauthorized domain helloworld.dagoukeji.com

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: helloworld.dagoukeji.com

I ran this command on my macbook: sudo certbot certonly --standalone (following https://certbot.eff.org/lets-encrypt/osx-webproduct)

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter ‘c’ to cancel): evan.chanyiksan@gmail.com


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory


(A)gree/©ancel: A


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: N
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): helloworld.dagoukeji.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for helloworld.dagoukeji.com
Waiting for verification…
Challenge failed for domain helloworld.dagoukeji.com
http-01 challenge for helloworld.dagoukeji.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: helloworld.dagoukeji.com
    Type: unauthorized
    Detail: Invalid response from
    http://helloworld.dagoukeji.com/.well-known/acme-challenge/nWXvVY8g-uLlyjhQ8s9b9h8GP19j5EXAa562oxmXAEU
    [47.75.19.251]: “<!doctype html><html lang=“en”><meta
    charset=“utf-8”/><link rel=“icon” href=”/favicon.ico"/><meta
    name=“viewport” content="

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version):
The domain CNAME to dagoukeji-helloworld.oss-cn-hongkong.aliyuncs.com, which is a OSS bucket hosted on alibabacloud.

The operating system my web server runs on is (include version): I am not sure

My hosting provider, if applicable, is: alibabacloud OSS https://www.alibabacloud.com/product/oss

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): alibabacloud oss

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.4.0

Regarding this:

please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address

The domain doesn’t have AAAA record, but it does have A record

$ dig A helloworld.dagoukeji.com

; <<>> DiG 9.10.6 <<>> A helloworld.dagoukeji.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 433
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;helloworld.dagoukeji.com.	IN	A

;; ANSWER SECTION:
helloworld.dagoukeji.com. 599	IN	CNAME	dagoukeji-helloworld.oss-cn-hongkong.aliyuncs.com.
dagoukeji-helloworld.oss-cn-hongkong.aliyuncs.com. 59 IN A 47.75.19.251

$ dig AAAA helloworld.dagoukeji.com

; <<>> DiG 9.10.6 <<>> AAAA helloworld.dagoukeji.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58608
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;helloworld.dagoukeji.com.	IN	AAAA

;; ANSWER SECTION:
helloworld.dagoukeji.com. 599	IN	CNAME	dagoukeji-helloworld.oss-cn-hongkong.aliyuncs.com.

;; AUTHORITY SECTION:
aliyuncs.com.		599	IN	SOA	hidden-master.aliyun.com. hostmaster.aliyun-inc.com. 2041269022 7200 900 2592000 600

;; Query time: 514 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Sun May 10 19:40:58 PDT 2020
;; MSG SIZE  rcvd: 192
1 Like

DNS it NOT the issue.
As you show, the NAME resolves to:

And that is the same IP being used:

The problem is in the response found at that IP when using the name “helloworld.dagoukeji.com”.
You need to get HTTP working before adding TLS (HTTPS).

The longer named site is NOT configured well either:

1 Like

Hi @rg305 thanks for the help.

Now I make sure helloworld.dagoukeji.com is accessible with 200 response. Feel free to try again and you’ll see a simple site " This is a static template, there is no bundler or bundling involved!"

Regarding the longer name that doesn’t work, that’s intentionally designed by alibabacloud for some reasons that I don’t understand, but it points to “Bind a custom domain name will avoid downloading the file”, which I already did. See https://www.alibabacloud.com/notice/oss0813

After I make sure the HTTP work, I tried sudo certbot certonly --standalone again but I got:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): helloworld.dagoukeji.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for helloworld.dagoukeji.com
Waiting for verification...
Challenge failed for domain helloworld.dagoukeji.com
http-01 challenge for helloworld.dagoukeji.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: helloworld.dagoukeji.com
   Type:   unauthorized
   Detail: Invalid response from
   http://helloworld.dagoukeji.com/.well-known/acme-challenge/CwYMbF5OajH1Pusx1axg084QOoTRcxpX7GZsCoJ2dTQ
   [47.75.19.251]: "<!DOCTYPE html>\n<html lang=\"en\">\n  <head>\n
   <meta charset=\"UTF-8\" />\n    <meta name=\"viewport\"
   content=\"width=device-width, in"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Any help? Thank you.

1 Like

You can’t use

that will try to start a web server.
[You already have a running web server.]
Try again without that.

1 Like

Hi @rg305

I tried all other options than standalone, and couldn’t get any of them work.

$ sudo certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not find ssl_module; not disabling session tickets.

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
3: Spin up a temporary webserver (standalone)
4: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 4
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): helloworld.dagoukeji.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for helloworld.dagoukeji.com
Input the webroot for helloworld.dagoukeji.com: (Enter 'c' to cancel): /
Waiting for verification...
Challenge failed for domain helloworld.dagoukeji.com
http-01 challenge for helloworld.dagoukeji.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: helloworld.dagoukeji.com
   Type:   unauthorized
   Detail: Invalid response from
   http://helloworld.dagoukeji.com/.well-known/acme-challenge/0HgJV6MhWhxLcWTH3wo8z9-8vWd9_utUVbCBe8Wf1C0
   [47.75.19.251]: "<!DOCTYPE html>\n<html lang=\"en\">\n  <head>\n
   <meta charset=\"UTF-8\" />\n    <meta name=\"viewport\"
   content=\"width=device-width, in"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

$ sudo certbot certonly
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
3: Spin up a temporary webserver (standalone)
4: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): helloworld.dagoukeji.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for helloworld.dagoukeji.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

$ sudo certbot certonly
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
3: Spin up a temporary webserver (standalone)
4: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): helloworld.dagoukeji.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for helloworld.dagoukeji.com
Using default address 80 for authentication.
nginx: [error] invalid PID number "" in "/usr/local/var/run/nginx.pid"
Cleaning up challenges
nginx: [error] invalid PID number "" in "/usr/local/var/run/nginx.pid"
Encountered exception during recovery:
Traceback (most recent call last):
  File "/usr/local/Cellar/certbot/1.4.0/libexec/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 70, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/local/Cellar/certbot/1.4.0/libexec/vendor/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 1118, in perform
    self.restart()
  File "/usr/local/Cellar/certbot/1.4.0/libexec/vendor/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 915, in restart
    nginx_restart(self.conf('ctl'), self.nginx_conf)
  File "/usr/local/Cellar/certbot/1.4.0/libexec/vendor/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 1186, in nginx_restart
    raise errors.MisconfigurationError(
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/certbot/1.4.0/libexec/lib/python3.8/site-packages/certbot/_internal/error_handler.py", line 125, in _call_registered
    self.funcs[-1]()
  File "/usr/local/Cellar/certbot/1.4.0/libexec/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 243, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/local/Cellar/certbot/1.4.0/libexec/vendor/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 1136, in cleanup
    self.restart()
  File "/usr/local/Cellar/certbot/1.4.0/libexec/vendor/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 915, in restart
    nginx_restart(self.conf('ctl'), self.nginx_conf)
  File "/usr/local/Cellar/certbot/1.4.0/libexec/vendor/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 1186, in nginx_restart
    raise errors.MisconfigurationError(
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''
nginx restart failed:
b''
b''

I have no clue what should I really do in this case: to generate a SSL certificate for a domain that binds to alibabacloud OSS - an Alibaba version of S3.

1 Like

Option 4 may be your best solution.
But for that, you need to know the exact document root path
Please show the vhost config for that domain name.

1 Like

@rg305 Do you mind sharing how to show the vhost config for my domain name? I have no clue. Thanks for the help

1 Like

No problem.
For apache, start with:
sudo apachectl -S
There you should see which file has the domain name.
If there are more than one file or if it all looks confusing, just post the output here.

1 Like

@rg305 If I understand correctly, I will run this command from my laptop because I don’t have ssh access to the alibabacloud OSS bucket?

I run the command in my laptop and I got:

VirtualHost configuration:
ServerRoot: "/usr"
Main DocumentRoot: "/Library/WebServer/Documents"
Main ErrorLog: "/private/var/log/apache2/error_log"
Mutex default: dir="/private/var/run/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/private/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="_www" id=70
Group: name="_www" id=70

Not sure what’s next.

1 Like

No. it needs to run on the server.

1 Like

How did you run that?

1 Like

Is there a way to get the ssl certificate for a domain that I am not able to ssh to?

Oh, I run sudo certbot certonly all from my laptop, not the OSS bucket … Sorry I haven’t emphasized that enough, as said in my first post:

I ran this command on my macbook: sudo certbot certonly --standalone (following https://certbot.eff.org/lets-encrypt/osx-webproduct)

1 Like

That did not make it clear that your MacBook wasn’t the IP being authenticated against.

If you can’t SSH, how ill you insert the cert when you do get one?

1 Like

@rg305 Sorry for the misleading info.

To insert the cert without ssh, OSS provides a UI for users to upload the keys, as described in https://www.alibabacloud.com/help/doc-detail/97187.htm

1 Like

Then the only option for you is to use DNS authentication.
[not HTTP nor HTTPS; as those would go directly to the website]

1 Like

How about:

  1. Have domain helloworld.dagoukeji.com points to an ec2 instance that I have ssh access to.
  2. ssh to the ec2 instance, and generate the ssl certificate there.
  3. Point the domain back to the oss bucket.
  4. Upload the cert generated from step 2 via UI to the oss bucket

Does it sound a reasonable workaround? I assume ssl cert binds to a domain rather than a certain web server, so maybe this will work? @rg305

1 Like

That would work technically, but it seems like a lot of extra work for you (remember that Let’s Encrypt certificate expire after 90 days and need to be revalidated and reissued before that!). Therefore this same step would need to be repeated quite frequently. Is there some reason that you couldn’t use a DNS API to update the DNS zone, or that you couldn’t run a Let’s Encrypt client of some kind on the OSS bucket? (I unfortunately don’t know what an OSS bucket is, so I don’t know what restrictions or options there are in this case!)

2 Likes

I agree with @schoen, there are plenty of ways to get a cert in one place and then do a whole lot of manual steps to get it into some other place.
You could even go online and get one manually through a web site.
But that misses the key advantage LE strives to provide entirely - Automation.
If you can find a way to script all of that, or any version of anything that can accomplish that, then you have something “reasonable”.
If it relies heavily on human interaction (and requires many steps which must be taken in a percise order and never late) then you should look to improve on that overall.

So, no, it doesn’t quite “sound reasonable” enough to me.
You can do so much better.
And we can help you get there.

1 Like

alibabacloud is a cloud provider in China, OSS bucket is pretty much the alibabacloud-variant of AWS S3 bucket, with some features missing.

Since it is a managed storage service, I don’t have access inside the bucket. Regarding DNS, I will look into alibabacloud’s managed DNS service to see if I have the needed access to run LE client.

Thank you very much for the help, I will follow up soon, with my findings :slight_smile:

1 Like

I am so impressed by “And we can help you get there”, thank you so much for all the help.

Yah, I should take automation into consideration, and I will investigate the DNS approach given I don’t have access to the OSS bucket. I will follow up soon with my findings.

BTW, out of curiosity, does LE provide a website that I can get one SSL cert from?

3 Likes