My web server is (include version): nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 22
My hosting provider, if applicable, is: godaddy
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0
Background. I am currently running a flask website using gunicorn and nginx on my local machine.
To do so, I forward/redirect all calls made at ai-immo.fr to my LOCAL_EXTERNAL_IP:PORT
The http part works but I wanted to use certbot to have HTTPS access too.
The error message indicates that the well-know certficate created by certbot is not accessible and hence it can't verify that I have admin access to the website.
Error:
sudo certbot --nginx -d ai-immo.fr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for ai-immo.fr
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: ai-immo.fr
Type: unauthorized
Detail: 3.33.152.147: Invalid response from http://ai-immo.fr/.well-known/acme-challenge/*********-*******0: 404
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
MultipleIPAddressDiscrepancy
Warning
ai-immo.fr has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=3.33.152.147,Address Type=IPv4,Server=ip-10-123-123-105.ec2.internal,HTTP Status=404] vs [Address=15.197.142.173,Address Type=IPv4,Server=ip-10-123-123-106.ec2.internal,HTTP Status=404]
And using curl -Ii http://ai-immo.fr/.well-known/acme-challenge/sometestfile returns HTTP/1.1 405 Not Allowed
Supplemental Port 443 (i.e. for HTTPS) is filtered for nmap -Pn -p80,443 ai-immo.fr
$ nmap -Pn -p80,443 ai-immo.fr
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-13 16:54 UTC
Nmap scan report for ai-immo.fr (3.33.152.147)
Host is up (0.010s latency).
Other addresses for ai-immo.fr (not scanned): 15.197.142.173
rDNS record for 3.33.152.147: a4ec4c6ea1c92e2e6.awsglobalaccelerator.com
PORT STATE SERVICE
80/tcp open http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds
@Bruce5051 Tx for your reply.
On the godaddy website, there is indeed Few DNS of type A/@/CNAME/SOA which I am not sure what they are for, but it seems like I can not modify them...
One of which do point to the IP 3.33.152.147.
Do you by any chance have any experience with godaddy?
Tx a lot, and sorry again as I am really starting ...
Best
@griffin Great!. I want to run my website on a local/VPS pc that runs Ubuntu 22.
as @Bruce5051 pointed out it seems that one of the reason(s), that may cause the problem is the fact that the predefined DNSs points to 3.33.152.147.
The issue I have is that they are marked as "impossible to suppress" and marked as type "A".
I have the minimal service from godaddy, so not sure if it made to force me to pay for their own certificated or else.
Thanks a lot for the help
It looks like you are using some sort of URL Forwarding setting or maybe URL Redirect. I forget what GoDaddy calls it. First, unset that and then you will be able to set an A record pointing to your actual IP.
A forwarding service like that does not work with HTTPS
@MikeMcQ I think Mike pointed out the problem. let me make some changes.
Thanks a lot for your help.
AS A DIFFERENT MATTER. I kind of have been blocked by certbot, because I was making to many "idiotic" requests. any ideas how long it takes before I can try again?
It works!
Very interesting, the info @Bruce5051 was able to pickup.
Is there anything I should be worried about with this setup?
Meaning what do I expose, rather than latency etc
Thanks a lot folks! @MikeMcQ@Bruce5051 griffin
The info Bruce showed is readily available using the public DNS and internet. I think you are asking how to make your server secure. That's an advanced discussion well beyond the scope of this forum.
You might look at the result of SSL Labs "Server Test" for your domain (spoiler: you got an 'A'). That tests some basic stuff and shows you some of what people can easily see. There are other sites and services that focus on port scanning, hardening, firewalls, and more. Yes, more
Thank you @nono_london, but as @MikeMcQ has correctly pointed out I did not do anything that the public DNS and internet already has, just a tiny bit of ditch digging.
