Wildcard domain manual renewal

My domain is:
bogend.ca

I ran this command:
certbot certonly --manual -v -d bogend.ca

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Requesting a certificate for bogend.ca
Performing the following challenges:
http-01 challenge for bogend.ca


Create a file containing just this data:

TbkgvtFPnR_jbSHMrWsJ6JHFxFe4MZrj8CM2xl3v_70.k2nysomSEbqy3Qm8DilJBQ5Omcf4NyKISgNSs0k4vg4

And make it available on your web server at this URL:

http://bogend.ca/.well-known/acme-challenge/TbkgvtFPnR_jbSHMrWsJ6JHFxFe4MZrj8CM2xl3v_70


Press Enter to Continue
Waiting for verification...
Challenge failed for domain bogend.ca
http-01 challenge for bogend.ca

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: bogend.ca
Type: connection
Detail: Fetching http://bogend.ca/.well-known/acme-challenge/TbkgvtFPnR_jbSHMrWsJ6JHFxFe4MZrj8CM2xl3v_70: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Apache v.2.4

The operating system my web server runs on is (include version):
Centos v.7

My hosting provider, if applicable, is:
Digital Oceans

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.20.0

The renewal for specific certificates (black-widow.bogend.ca and mail.bogend.ca) went good. When I try to do the wildcard domain, it fails. After searching for the errors, I was directed to do a manual update. Using the command:

certbot certonly --manual -v -d bogend.ca

I create the file asked (different every time I run) and verify that I can reach it by loading it in my browser (current Chrome)

The certbot process attempts to proceed, and then dies with the error that it timed out waiting for the file.

What am I doing wrong?

1 Like

Hi @daBUZ welcome to the LE community forum :slight_smile:

You must have a functional HTTP web site before you can secure it (via HTTP authentication).

Q1: Is this the IP of your server?:

Name:    bogend.ca
Address: 139.197.163.41

Q2: Can your server be reached? [via: http://bogend.ca/]
I can't reach it either:

curl -Ii bogend.ca
curl: (56) Recv failure: Connection reset by peer

Q3: Why does the title to this topic include the words "wildcard" and "renewal"?

2 Likes

The httpd is going up and down as we try different things right now.
Answer to Q1: yes

Answer to Q2: yes, but httpd is shut down right now as we try to create a new certificate.

Answer to Q3: because we are trying to renew the wildcard *.bogend.ca as well as the domain bogend.ca

Thanks for your response.

1 Like

Do your ACME renewal processes include --standalone or --apache or --nginx ? ? ?

2 Likes

Not that I am aware of, unless it is hidden in config files.

Then why would you need to shut down the HTTPD to get a wildcard certificate (a process that is done completely via DNS)?

2 Likes

Apache broke when I deleted the old certificate that would not renew, to install a new certificate.

That was unnecessary and can cause that to happen.
If you have put your vhost configs into separate files, and you enabled them using a2ensite, then try disabling that site until a cert can be obtained for it. See: a2dissite.
[be sure you aren't asking certbot to create the secure site for you - then you will have two!]

3 Likes

I find that black-widow.bogend.ca has no cert... at least it's not being served.

mail.bogend.ca couldn't be reached the first time I tried to connect, but on the 2nd try, it did connect - it shows the exact same content as black-widow.bogend.ca. This also does not have a cert that is being served. A minute later I tried to connect to mail subdomain again and that too timed out.

Looking up your name servers for bogend.ca I found:

NS records
Name servers
black-widow.bogend.com.
black-widow.bogend.ca.

On a whim I tried black-widow.bogend.com and that loaded the same content as the .ca version. The URL was still .com.

BUT! Here's something quite odd.

Checking out your apex domain here, the 2 name server replies for black-widow.bogend.ca and .com are from Digital Ocean in Toronto, Ontario, Canada, but the NS for your apex domain (bogend.ca) is in

Shanghai, China.

Notice the slight difference in IP addresses (3rd digit).
138.197.163.42 is in Canada
139.197.163.42 is in China


Did you manually change your DNS records and make a typo entering the IP address? That could explain the 2nd IP address in China.

You should check this out before continuing.


Name Servers
Domain Nameserver NS-IP
www.bogend.ca
• bogend.ca

bogend.ca
• black-widow.bogend.ca
138.197.163.41
Toronto/Ontario/Canada (CA) - DigitalOcean, LLC

black-widow.bogend.com
138.197.163.41
Toronto/Ontario/Canada (CA) - DigitalOcean, LLC

• T bogend.ca
139.197.163.41
Pudong Xinqu/Shanghai/China (CN) - MIGUVideo


Checking out MIGU Video, I see they have an app for streaming Chinese drama, comedy, music, etc. (and Tik-Tok).

3 Likes

Thanks for that. That was definitely a typo that has been corrected.

2 Likes

After many iterations of playing with the configuration of Apache and Certbot, I have these certificates work. Thanks for the help.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.