I have a new domain in the .dev TLD, which is forced HSTS as far as I understood, so I can't access it through HTTP but HTTPS only.
Im trying to setup the SSL certificate like I did 100 times before using certbot on ubuntu/apache2.
Now my problem is that when the certbot tries to authenticate, it doesn't work because the acme-challenge tries to access the file in .well-known through HTTP, which doesn't work with HSTS domains.
How do you usually deal with that, I couldn't find anything useful so far.
Error message from certbot:
Failed authorization procedure. example.dev (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.dev/.well-known/acme-challenge/t6qvuntJAoDTAwoMnjQnA5R4vZ-IdWptb_yakexutp4 [2001:8d8:100f:f000::259]: 204
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: example.dev
Type: unauthorized
Detail: Invalid response from
http://example.dev/.well-known/acme-challenge/t6qvuntJAoDTAwoMnjQnA5R4vZ-IdWptb_yakexutp4
[2001:8d8:100f:f000::259]: 204
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Related
I tried a website to activate an SSL in VPS I have many domain names but all are successfully active except one domain name freecodeing.com. I mention the error in the below IMPORTANT NOTES:
The following errors were reported by the server: Domain: freecodeing.com
Type: unauthorized
Detail: 82.180.162.33: Invalid response from
http://freecodeing.com/.well-known/acme-challenge/nX18j8YXwmGgeXnPuI-tugws3wfaRHPcFPq1CuCfq0M:
404 To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Please Solve the problem
I am running nginx and cloudflare. For nginx ssl I use letsencrypt via certbot, which handles the connection from my server to cloudflare. cloudflare itself has an additional certificate, which handles the connections between cloudflare and the website users. The problem is now that I have to pause cloudlfare everytime when I renew letsencrypt:
sudo certbot renew
Else I get an error:
Incorrect validation certificate for tls-sni-01 challenge requested.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Is there another way to auto renew it without pausing cloudflare?
I ran into this before and thought some Cloudflare page rules would help
Rule 1 http://.domain.com/.well-known/acme-challenge/ => cache level = standard
Rule 2 http://*.domain.com/ => Always use HTTPS
This seemed to work fine for all my domains until just today, one of them failed to renew certbot correctly, so I am also interested in anybody else's input.
Log into CloudFlare and go to DNS
You will see an A/AAAA record and if it says Proxied, you need to set it to DNS Only. Then you can go and do certbot renew and it will succeed.
If you go back to Cloudflare you can set it back to Proxied
I am facing a weird issue. I do not know if it is Nginx related or DNS related but here is the problem :
I have a domain that is fine, let's say foobar.com , SSL does not face any issue. Both www. and root domain work with HTTPS.
I have a second domain, let's say foobaz.net, I need to redirect it to foobar.com in every situations (both www. and root domains).
It does actually redirect, but when I try to access https://foobaz.net/ I get a HTTPS error/warning before being redirected to https://foobar.com/ after adding it the the SSL exceptions of Chrome (https://foobar.com/ SSL certificate is OK once I get past https://foobaz.net/ SSL warning).
I do not know if it is Nginx related or DNS related, any clue of what is happening here ?
Thanks in advance.
Any https connection checks the ssl certificate before proceeding to do what it needs to do in the server(in your case, a redirection). You may have a certificate for foobar.com, which is perfectly fine, but if you don't have a valid foobaz.com certificate. That's why the error shows up, foobaz is not "secure".
A https connection is secure if all the points between you and the endpoint are secure, not only the endpoint. If foobaz is not certified, that is a non-secure middle point on your connection, and that's why the warning happens.
Get a SSL certificate for foobaz too, and the whole connection will be secure.
I've problems creating letsencrypt certs with the certbot.
Because I don't know where the problem is, I will just write everything down which can be the root cause:
I do have a domain and one subdomain. There is a Nginx which redirects the subdomain to the domain on a specific port.
Now I run the certbot for my domain without the subdomain at first.
sudo certbot --nginx -d domain.de -d www.domain.de
This leads to the following error:
Domain: domain.de Type: unauthorized Detail: Invalid
response from
http://domain.de/.well-known/acme-challenge/Y_Ka6V9JlHjBqjqanHLthoVL9F2yju_2TczRPwkBD0s:
"\n\n300 Multiple Choices\n\nMultiple C"
Domain: www.domain.de Type: unauthorized Detail: Invalid
response from
http://www.domain.de/.well-known/acme-challenge/Vf234FTDH7zH5TUBbBwVGfPVLK3m5rllc1s3Cu9KK3I:
"\n\n300 Multiple Choices\n\nMultiple C"
I couldn't find much except this thread. Letsencrypt Community
So I guess it is realted to my DNS Settings. I rent the domain via 1&1 and created a subdomain as well. Because I was playing around with Nginx redirects and the DNS settings, I configured the subdomain to have the same IPv4 & IPv6 as the domain. Could this be the problem or do I have to look somewhere else?
Best regards from Berlin!
I checked the IPv6 address with nslookup and this pointed to somewhere else. I do not understand how this can happen because I never touched the IPv6 (AAAA) record. I guess Certbot is checking A and AAAA and because they did not match the authentication failed.
I deleted the AAAA records for the domain and was able to get a cert without a problem.
Following https://devcenter.heroku.com/articles/ssl-endpoint
I've added a certificate for my domain www.example.com and then https://www.example.com is working as expected.
But the domain of my certificate is example.com and it's not valid for my-app.herokuapp.com so the browser shows an error message of invalid domain for certificate.
I've seen https://support.dnsimple.com/articles/heroku-error-ssl/ but it's not valid on EU region. In fact I don't understand how it works, because the custom SSL endpoint they provide to us still has an other domain: herokussl.com so my certificate will not be valid for this domain.
Any ideas?