Warning: The domain 'wiki.dev.precisiongenetics.com' resolves to a different IP address than the one detected for this machine, which is '54.167.189.167'

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wiki.dev.precisiongenetics.com

I ran this command: sudo /opt/bitnami/bncert-tool

It produced this output: Please provide a valid space-separated list of domains for which you wish to
configure your web server.

Domain list : wiki.dev.precisiongenetics.com

The following domains were not included: www.wiki.dev.precisiongenetics.com. Do you want to add them? [Y/n]: n

Warning: No www domains (e.g. www.example.com) or non-www domains (e.g.
www.example.com) have been provided, so the following redirections will be
disabled: non-www to www, www to non-www.
Press [Enter] to continue:
Warning: The domain 'wiki.dev.precisiongenetics.com' resolves to a different IP
address than the one detected for this machine, which is '54.167.189.167'.
Please fix its DNS entries or remove it. For more info see:
Configure a custom domain
Press [Enter] to continue:

My web server is (include version): Dokuwiki Bitnami

The operating system my web server runs on is (include version): Linux/UNIX

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

The warning/error is pretty self-explanatory, right? What is your question about it exactly?

By the way, your hostname resolves to 10.0.3.15, which is a private IP address which isn't accessible through the public internet. Thus you/bncert-tool can't use the http-01 challenge. I believe bncert-tool also supports the tls-alpn-01 challenge, but I haven't seen anything resembling dns-01 support. And only the latter can be used with public hostnames resolving to private IP addresses.

1 Like

Sorry, then I cannot use " bncert-tool" if there's no a public IP?

So, I created another EC2 with public IP, and still getting an error:

An error occurred creating certificates with Let's Encrypt:

private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/01/08 19:56:38 No key found for account makhmud77@yahoo.com. Generating a
P256 key.
2024/01/08 19:56:38 Saved key to
/opt/bitnami/letsencrypt/accounts/acme-v02.api.letsencrypt.org/makhmud77@yahoo.co
m/keys/makhmud77@yahoo.com.key
2024/01/08 19:56:39 [INFO] acme: Registering account for makhmud77@yahoo.com
2024/01/08 19:56:39 [INFO] [wiki.dev.precisiongenetics.com] acme: Obtaining
bundled SAN certificate
2024/01/08 19:56:39 [INFO] [wiki.dev.precisiongenetics.com] AuthURL:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/302138000766
2024/01/08 19:56:39 [INFO] [wiki.dev.precisiongenetics.com] acme: use
tls-alpn-01 solver
2024/01/08 19:56:39 [INFO] [wiki.dev.precisiongenetics.com] acme: Trying to
solve TLS-ALPN-01
2024/01/08 19:56:46 [INFO] Deactivating auth:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/302138000766
2024/01/08 19:56:46 Could not obtain certificates:
error: one or more domains had a problem:
Press [Enter] to continue:
[wiki.dev.precisiongenetics.com] acme: error: 400 ::
urn:ietf:params:acme:error:dns :: no valid A records found for
wiki.dev.precisiongenetics.com; no valid AAAA records found for
wiki.dev.precisiongenetics.com

Please check our documentation and support forums, we'll be happy to help!

Please help and THANK YOU!

1 Like

Not to get a Let's Encrypt cert. The HTTP or TLS-ALPN challenges both require an A and/or AAAA record in the public DNS. That IP must point to a publicly accessible server to reply to the challenge to prove control of that domain name.

3 Likes

That's caused by the same problem. The IP address in your A record is not routable on the public internet.

There are many ways to lookup your public IP. Your EC2 console should show you. Or, do this for your IPv4 and IPv6 (you may not have both)

curl -4 https://ifconfig.io
curl -6 https://ifconfig.io

The public IP should be the value in your A record not the IP starting with 10.0

4 Likes

Are you going to use the cert over the public Internet?
If so, then you will also need a publicly routable IP:

Name:    wiki.dev.precisiongenetics.com
Address: 10.0.101.104

If you are not going to use it over the Internet,,,
Then why do you even need a publicly signed cert?

2 Likes

Okay, you fixed your DNS IP and got a new Let's Encrypt cert.

But, your Apache is configured wrong. It uses the Let's Encrypt leaf but an intermediate chain from ZeroSSL.

You should review these in your VirtualHost
SSLCertificateFile
SSLCertificateChainFile (is not used after Apache 2.4.8)
SSLCertificateKeyFile

https://www.ssllabs.com/ssltest/analyze.html?d=wiki.dev.precisiongenetics.com&hideResults=on

3 Likes

Thanks again for all your help!
Does this output mean, that certificate was issued?


Performing changes to your installation

The Bitnami HTTPS Configuration Tool will perform any necessary actions to your
Bitnami installation. This may take some time, please be patient.

|Warning: Certificates may not renew automatically, due to a web server
configuration issue. For more information see:
Learn about the Bitnami HTTPS Configuration Tool
ed-automatically
Press [Enter] to continue:

Some errors occurred

The configuration was applied, but some of the changes could not be applied.
Find the details below.

The configuration report is shown below.

Failed steps:

  • Creating Let's Encrypt certificate: Automatic renewal not working

Backup files:

  • /opt/bitnami/apache/conf/httpd.conf.back.202401082003
  • /opt/bitnami/apache/conf/bitnami/bitnami.conf.back.202401082003
  • /opt/bitnami/apache/conf/bitnami/bitnami-ssl.conf.back.202401082003
  • /opt/bitnami/apache/conf/vhosts/dokuwiki-https-vhost.conf.back.202401082003
  • /opt/bitnami/apache/conf/vhosts/dokuwiki-vhost.conf.back.202401082003

Find more details in the log file:

/tmp/bncert-202401082003.log

If you find any issues, please check Bitnami Support forums at:

Press [Enter] to continue:

Script stderr:
2024/01/08 20:04:20 [INFO] [wiki.dev.precisiongenetics.com] acme: Obtaining bundled SAN certificate
2024/01/08 20:04:20 [INFO] [wiki.dev.precisiongenetics.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/302139769216
2024/01/08 20:04:20 [INFO] [wiki.dev.precisiongenetics.com] acme: use tls-alpn-01 solver
2024/01/08 20:04:20 [INFO] [wiki.dev.precisiongenetics.com] acme: Trying to solve TLS-ALPN-01
2024/01/08 20:04:26 [INFO] [wiki.dev.precisiongenetics.com] The server validated our request
2024/01/08 20:04:26 [INFO] [wiki.dev.precisiongenetics.com] acme: Validations succeeded; requesting certificates
2024/01/08 20:04:27 [INFO] [wiki.dev.precisiongenetics.com] Server responded with a certificate.

Executing chown -R bitnami /opt/bitnami/letsencrypt
Script exit code: 0

If yes, it is still showing as not secured.

See my post just before your latest one. Your Apache is configured wrong.

5 Likes

Sorry, not being able to fix my apache file, I think. Got this:

bitnami@ip-10-0-103-105:~$ sudo /opt/bitnami/letsencrypt/lego --tls --email="mahmud.rahimberganov@precisiongenetics.com" --domains="wiki.dev.precisiongenetics.com" --path="/opt/bitnami/letsencrypt" run
2024/01/08 21:00:01 [INFO] [wiki.dev.precisiongenetics.com] acme: Obtaining bundled SAN certificate
2024/01/08 21:00:01 [INFO] [wiki.dev.precisiongenetics.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/302151571216
2024/01/08 21:00:01 [INFO] [wiki.dev.precisiongenetics.com] acme: use tls-alpn-01 solver
2024/01/08 21:00:01 [INFO] [wiki.dev.precisiongenetics.com] acme: Trying to solve TLS-ALPN-01
2024/01/08 21:00:07 [INFO] [wiki.dev.precisiongenetics.com] The server validated our request
2024/01/08 21:00:07 [INFO] [wiki.dev.precisiongenetics.com] acme: Validations succeeded; requesting certificates
2024/01/08 21:00:08 [INFO] [wiki.dev.precisiongenetics.com] Server responded with a certificate.
bitnami@ip-10-0-103-105:~$ sudo /opt/bitnami/ctlscript.sh start

But still showing not secured

Thank you!

1 Like

SSL Labs shows a certificate issued today:
SSL Server Test: wiki.dev.precisiongenetics.com (Powered by Qualys SSL Labs)

3 Likes

Is there a load-balancer involved:
image
image

Why two different IPs?

2 Likes

Again, thank you everyone for all your help!

1 Like

Your Apache is still wrong. Can you post your VirtualHost for this domain?

See this SSL Checker as one example or also check the SSL Labs report

4 Likes

bitnami@ip-10-0-103-105:/opt/bitnami/apache/conf/bitnami$ cat bitnami.conf

# Default Virtual Host configuration.

# Let Apache know we're behind a SSL reverse proxy
SetEnvIf X-Forwarded-Proto https HTTPS=on

<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache/htdocs"
  # BEGIN: Configuration for letsencrypt
  Include "/opt/bitnami/apps/letsencrypt/conf/httpd-prefix.conf"
  # END: Configuration for letsencrypt
  # BEGIN: Support domain renewal when using mod_proxy without Location
  <IfModule mod_proxy.c>
    ProxyPass /.well-known !
  </IfModule>
  # END: Support domain renewal when using mod_proxy without Location
  # BEGIN: Enable HTTP to HTTPS redirection
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteCond %{HTTP_HOST} !^localhost
  RewriteCond %{HTTP_HOST} !^[0-9]+.[0-9]+.[0-9]+.[0-9]+(:[0-9]+)?$
  RewriteCond %{REQUEST_URI} !^/\.well-known
  RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
  # END: Enable HTTP to HTTPS redirection
  <Directory "/opt/bitnami/apache/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html
  # BEGIN: Support domain renewal when using mod_proxy within Location
  <Location /.well-known>
    <IfModule mod_proxy.c>
      ProxyPass !
    </IfModule>
  </Location>
  # END: Support domain renewal when using mod_proxy within Location
</VirtualHost>

Include "/opt/bitnami/apache/conf/bitnami/bitnami-ssl.conf"

The right file?

No, the below file is for HTTPS (port 443) and your certificate config

3 Likes

bitnami@ip-10-0-103-105:/opt/bitnami/apache/conf$ ls
bitnami deflate.conf httpd.conf magic modsecurity.conf server.crt unicode.mapping wiki.dev.precisiongenetics.com.crt
cert.csr extra httpd.conf.back.202401082051 mime.types original server.key vhosts wiki.dev.precisiongenetics.com.key

httpd.conf?

Sorry, here:

bitnami@ip-10-0-103-105:/opt/bitnami/apache/conf/bitnami$ cat bitnami-ssl.conf

# Default SSL Virtual Host configuration.

<IfModule !ssl_module>
  LoadModule ssl_module modules/mod_ssl.so
</IfModule>

Listen 443
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH !RC4"
SSLPassPhraseDialog  builtin
SSLSessionCache "shmcb:/opt/bitnami/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apache/htdocs"
  SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache/conf/bitnami/certs/server.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache/conf/bitnami/certs/server.key"

  # BEGIN: Configuration for letsencrypt
  Include "/opt/bitnami/apps/letsencrypt/conf/httpd-prefix.conf"
  # END: Configuration for letsencrypt
  # BEGIN: Support domain renewal when using mod_proxy without Location
  <IfModule mod_proxy.c>
    ProxyPass /.well-known !
  </IfModule>
  # END: Support domain renewal when using mod_proxy without Location
  <Directory "/opt/bitnami/apache/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html
  # BEGIN: Support domain renewal when using mod_proxy within Location
  <Location /.well-known>
    <IfModule mod_proxy.c>
      ProxyPass !
    </IfModule>
  </Location>
  # END: Support domain renewal when using mod_proxy within Location
</VirtualHost>

Thanks again!

1 Like

That is the problem file. The bncert tool should have set that up properly.

I thought we were going to see a different problem we could easily fix. But, something very unusual has gone wrong with bncert. I think you should work with experts at a bitnami / bncert forum instead.

5 Likes