Unauthorized domain helloworld.dagoukeji.com

Help
#3

Hi @rg305 thanks for the help.

Now I make sure helloworld.dagoukeji.com is accessible with 200 response. Feel free to try again and you’ll see a simple site " This is a static template, there is no bundler or bundling involved!"

Regarding the longer name that doesn’t work, that’s intentionally designed by alibabacloud for some reasons that I don’t understand, but it points to “Bind a custom domain name will avoid downloading the file”, which I already did. See https://www.alibabacloud.com/notice/oss0813

After I make sure the HTTP work, I tried sudo certbot certonly --standalone again but I got:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): helloworld.dagoukeji.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for helloworld.dagoukeji.com
Waiting for verification...
Challenge failed for domain helloworld.dagoukeji.com
http-01 challenge for helloworld.dagoukeji.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: helloworld.dagoukeji.com
   Type:   unauthorized
   Detail: Invalid response from
   http://helloworld.dagoukeji.com/.well-known/acme-challenge/CwYMbF5OajH1Pusx1axg084QOoTRcxpX7GZsCoJ2dTQ
   [47.75.19.251]: "<!DOCTYPE html>\n<html lang=\"en\">\n  <head>\n
   <meta charset=\"UTF-8\" />\n    <meta name=\"viewport\"
   content=\"width=device-width, in"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Any help? Thank you.

1 Like
#4

You can’t use

that will try to start a web server.
[You already have a running web server.]
Try again without that.

1 Like
#5

Hi @rg305

I tried all other options than standalone, and couldn’t get any of them work.

$ sudo certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not find ssl_module; not disabling session tickets.

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
3: Spin up a temporary webserver (standalone)
4: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 4
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): helloworld.dagoukeji.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for helloworld.dagoukeji.com
Input the webroot for helloworld.dagoukeji.com: (Enter 'c' to cancel): /
Waiting for verification...
Challenge failed for domain helloworld.dagoukeji.com
http-01 challenge for helloworld.dagoukeji.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: helloworld.dagoukeji.com
   Type:   unauthorized
   Detail: Invalid response from
   http://helloworld.dagoukeji.com/.well-known/acme-challenge/0HgJV6MhWhxLcWTH3wo8z9-8vWd9_utUVbCBe8Wf1C0
   [47.75.19.251]: "<!DOCTYPE html>\n<html lang=\"en\">\n  <head>\n
   <meta charset=\"UTF-8\" />\n    <meta name=\"viewport\"
   content=\"width=device-width, in"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

$ sudo certbot certonly
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
3: Spin up a temporary webserver (standalone)
4: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): helloworld.dagoukeji.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for helloworld.dagoukeji.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

$ sudo certbot certonly
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
3: Spin up a temporary webserver (standalone)
4: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-4] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): helloworld.dagoukeji.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for helloworld.dagoukeji.com
Using default address 80 for authentication.
nginx: [error] invalid PID number "" in "/usr/local/var/run/nginx.pid"
Cleaning up challenges
nginx: [error] invalid PID number "" in "/usr/local/var/run/nginx.pid"
Encountered exception during recovery:
Traceback (most recent call last):
  File "/usr/local/Cellar/certbot/1.4.0/libexec/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 70, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/local/Cellar/certbot/1.4.0/libexec/vendor/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 1118, in perform
    self.restart()
  File "/usr/local/Cellar/certbot/1.4.0/libexec/vendor/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 915, in restart
    nginx_restart(self.conf('ctl'), self.nginx_conf)
  File "/usr/local/Cellar/certbot/1.4.0/libexec/vendor/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 1186, in nginx_restart
    raise errors.MisconfigurationError(
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/certbot/1.4.0/libexec/lib/python3.8/site-packages/certbot/_internal/error_handler.py", line 125, in _call_registered
    self.funcs[-1]()
  File "/usr/local/Cellar/certbot/1.4.0/libexec/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 243, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/local/Cellar/certbot/1.4.0/libexec/vendor/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 1136, in cleanup
    self.restart()
  File "/usr/local/Cellar/certbot/1.4.0/libexec/vendor/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 915, in restart
    nginx_restart(self.conf('ctl'), self.nginx_conf)
  File "/usr/local/Cellar/certbot/1.4.0/libexec/vendor/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 1186, in nginx_restart
    raise errors.MisconfigurationError(
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''
nginx restart failed:
b''
b''

I have no clue what should I really do in this case: to generate a SSL certificate for a domain that binds to alibabacloud OSS - an Alibaba version of S3.

1 Like
#6

Option 4 may be your best solution.
But for that, you need to know the exact document root path
Please show the vhost config for that domain name.

1 Like
#7

@rg305 Do you mind sharing how to show the vhost config for my domain name? I have no clue. Thanks for the help

1 Like
#8

No problem.
For apache, start with:
sudo apachectl -S
There you should see which file has the domain name.
If there are more than one file or if it all looks confusing, just post the output here.

1 Like
#9

@rg305 If I understand correctly, I will run this command from my laptop because I don’t have ssh access to the alibabacloud OSS bucket?

I run the command in my laptop and I got:

VirtualHost configuration:
ServerRoot: "/usr"
Main DocumentRoot: "/Library/WebServer/Documents"
Main ErrorLog: "/private/var/log/apache2/error_log"
Mutex default: dir="/private/var/run/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/private/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="_www" id=70
Group: name="_www" id=70

Not sure what’s next.

1 Like
#10

No. it needs to run on the server.

1 Like
#11

How did you run that?

1 Like
#12

Is there a way to get the ssl certificate for a domain that I am not able to ssh to?

Oh, I run sudo certbot certonly all from my laptop, not the OSS bucket … Sorry I haven’t emphasized that enough, as said in my first post:

I ran this command on my macbook: sudo certbot certonly --standalone (following https://certbot.eff.org/lets-encrypt/osx-webproduct)

1 Like
#13

That did not make it clear that your MacBook wasn’t the IP being authenticated against.

If you can’t SSH, how ill you insert the cert when you do get one?

1 Like
#14

@rg305 Sorry for the misleading info.

To insert the cert without ssh, OSS provides a UI for users to upload the keys, as described in https://www.alibabacloud.com/help/doc-detail/97187.htm

1 Like
#15

Then the only option for you is to use DNS authentication.
[not HTTP nor HTTPS; as those would go directly to the website]

1 Like
#16

How about:

  1. Have domain helloworld.dagoukeji.com points to an ec2 instance that I have ssh access to.
  2. ssh to the ec2 instance, and generate the ssl certificate there.
  3. Point the domain back to the oss bucket.
  4. Upload the cert generated from step 2 via UI to the oss bucket

Does it sound a reasonable workaround? I assume ssl cert binds to a domain rather than a certain web server, so maybe this will work? @rg305

1 Like
#17

That would work technically, but it seems like a lot of extra work for you (remember that Let’s Encrypt certificate expire after 90 days and need to be revalidated and reissued before that!). Therefore this same step would need to be repeated quite frequently. Is there some reason that you couldn’t use a DNS API to update the DNS zone, or that you couldn’t run a Let’s Encrypt client of some kind on the OSS bucket? (I unfortunately don’t know what an OSS bucket is, so I don’t know what restrictions or options there are in this case!)

2 Likes
#18

I agree with @schoen, there are plenty of ways to get a cert in one place and then do a whole lot of manual steps to get it into some other place.
You could even go online and get one manually through a web site.
But that misses the key advantage LE strives to provide entirely - Automation.
If you can find a way to script all of that, or any version of anything that can accomplish that, then you have something “reasonable”.
If it relies heavily on human interaction (and requires many steps which must be taken in a percise order and never late) then you should look to improve on that overall.

So, no, it doesn’t quite “sound reasonable” enough to me.
You can do so much better.
And we can help you get there.

1 Like
#19

alibabacloud is a cloud provider in China, OSS bucket is pretty much the alibabacloud-variant of AWS S3 bucket, with some features missing.

Since it is a managed storage service, I don’t have access inside the bucket. Regarding DNS, I will look into alibabacloud’s managed DNS service to see if I have the needed access to run LE client.

Thank you very much for the help, I will follow up soon, with my findings :slight_smile:

1 Like
#20

I am so impressed by “And we can help you get there”, thank you so much for all the help.

Yah, I should take automation into consideration, and I will investigate the DNS approach given I don’t have access to the OSS bucket. I will follow up soon with my findings.

BTW, out of curiosity, does LE provide a website that I can get one SSL cert from?

3 Likes
#21

No, but there are several out the there where you can get a free 90 day cert.
Like: Zero SSL

Where LE excels (above providing free 90 days certs for all) is in providing ACME clients that easily enable automation; and, of course, this great community forum [which is unmatched].

1 Like
#22

Thanks for the explanation. Note that still another option can be delegating the _acme-challenge subdomain of your main domain to a third-party DNS provider, most often Cloudflare, that has an API for DNS updates that’s friendly to Let’s Encrypt client integration. In that case the Let’s Encrypt clients would be able to create that record automatically from software in order to automate the renewals, even if your regular DNS zone doesn’t support automatic updates!

2 Likes