Well known acme challenge when installing on new machine


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dwccloud.uk, www.dwccloud.uk, cloudi.dwccloud.uk

I ran this command: sudo certbot --apache

It produced this output: IMPORTANT NOTES:

My web server is (include version): apache 2.4.18

The operating system my web server runs on is (include version): ubuntu 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I installed a certificate for these domains on another machine when I was learning how to set up a nextcloud server, but I took that one offline a few months back, partly because I couldn’t renew, because I hadn’t used certbot, but also because I bought a less limited machine.

I’ve looked through other people’s posts about this error message, but none seems quite the same. Should I be using a different command to transfer the certificate to this new machine?

I’ve just realised I might have used a different email address last time. Would that cause it? If so, how can I fix this?
Thanks in advance.


#2

I guess this is a home server? Have you forwarded port 80 from your router to the new machine? You need port 80 to pass the (most common) validation challenge, in addition to whatever port you actually want to serve HTTPS on (usually 443).

Using a different email address shouldn’t make any difference.


#3

Thank you. I’'ll look at it now.


#4

jmorahan, those ports are open on my router. Sorry for being so basic, but is this what I need to do?


#5

When you say the ports are “open” on your router what do you mean exactly? Most routers have some sort of web interface that allows you to forward incoming traffic on a given port or port range to a particular internal IP address. If yours only provides a Linux shell interface, then the article you linked … looks more or less right to me but my iptables is very rusty so I’m not sure, sorry :frowning:

Another thing to check: are your DNS records pointed at the correct IP address? (particularly if your IP address might have changed since you set them up originally)


#6

When you say the ports are “open” on your router what do you mean exactly?

Just that they are opened on the router’s firewall.

My router has a web interface (it’s an Arris router), but it doesn’t have anything named ‘port forwarding’. It has ‘port triggers’ and I’ve got 80 and 443 linked to my server name through that, but it doesn’t give the option of specifying an internal IP address.

As for my DNS records, my domain name is on a commercial registrar. The DNS records are pointed at my static IP address and I have an A record for the subdomain.

Please don’t apologise for anything. I appreciate the help and, as you can see, I’m very much an amateur, blundering about. It’s just frustrating, as I’ve done this once, successfully, and am now in a muddle. It feels as though I am back where I was six months ago.


#7

I’m not familiar with those routers but based on a screenshot I found via Google, the setting might be called “Virtual servers / port forwarding” and the name might be truncated so it might not be obvious.


#8

@danceswithcats, maybe you should take a look to this page https://portforward.com/arris/ there you will find step by step instructions to setup port forwarding on several Arris routers.


#9

Yes! That appears to have done it. I had 80 and 443 set to point to my old machine, which was on a different internal ip address. I’ve changed the IP address, made it a fixed one, so that dynamic naming won’t mess about with it, and run certbot again, and I seem to have a certificate.

Once again, thank you.

I got an output I didn’t recognise. Is the following okay?

We were unable to find a vhost with a ServerName or Address of dwccloud.uk.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)


1: 000-default.conf | | | Enabled
2: 000-default-le-ssl.conf | www.dwccloud.uk | HTTPS | Enabled


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf

We were unable to find a vhost with a ServerName or Address of cloudi.dwccloud.uk.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)


1: 000-default.conf | | | Enabled
2: 000-default-le-ssl.conf | Multiple Names | HTTPS | Enabled


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf


Congratulations! You have successfully enabled https://www.dwccloud.uk,
https://dwccloud.uk, and https://cloudi.dwccloud.uk

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.dwccloud.uk
https://www.ssllabs.com/ssltest/analyze.html?d=dwccloud.uk
https://www.ssllabs.com/ssltest/analyze.html?d=cloudi.dwccloud.uk


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.dwccloud.uk/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.dwccloud.uk/privkey.pem
    Your cert will expire on 2019-01-29. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#10

Thanks, Sahsanu. I will apply myself to that, in case of future problems.


#11

It’s okay, but it means that so far you’ve only configured www.dwccloud.uk in Apache and not the other two names. It should continue to work after you do so, but it might be worth trying a certbot renew --dry-run at that point just to double-check.


#12

I ran the dry run renewal and it just renewed the www.dwccloud certificate. The test reports for the other two default to www.dwccloud.uk and show green across the board. If that’s the case, I don’t need to worry, do I? I mean, the connection will be protected anyway, won’t it?


#13

You have a single certificate covering all three names :slight_smile: My only concern was that if you want them to serve different content at some point in the future, you might need to update your Apache configuration to achieve that, and if so, you should re-test to confirm that the renewal will still work after you do that.


#14

Ah, yes. I do want to set up a FreeNAS box, when I can afford the memory and storage. I was going to add another subdomain then, but I’ll let that be a problem for the future. The way my bank account’s looking, it won’t be for a long while anyway.
It’s time to walk the dog and cook supper. Thanks so much for all your help.


#15

When you get to that, you might want to take a look at this to obtain the cert on your FreeNAS box directly and automate installation:


#16

That looks straightforward enough. Brilliant.

Thanks, danb35.