I've problems creating letsencrypt certs with the certbot.
Because I don't know where the problem is, I will just write everything down which can be the root cause:
I do have a domain and one subdomain. There is a Nginx which redirects the subdomain to the domain on a specific port.
Now I run the certbot for my domain without the subdomain at first.
sudo certbot --nginx -d domain.de -d www.domain.de
This leads to the following error:
Domain: domain.de Type: unauthorized Detail: Invalid
response from
http://domain.de/.well-known/acme-challenge/Y_Ka6V9JlHjBqjqanHLthoVL9F2yju_2TczRPwkBD0s:
"\n\n300 Multiple Choices\n\nMultiple C"
Domain: www.domain.de Type: unauthorized Detail: Invalid
response from
http://www.domain.de/.well-known/acme-challenge/Vf234FTDH7zH5TUBbBwVGfPVLK3m5rllc1s3Cu9KK3I:
"\n\n300 Multiple Choices\n\nMultiple C"
I couldn't find much except this thread. Letsencrypt Community
So I guess it is realted to my DNS Settings. I rent the domain via 1&1 and created a subdomain as well. Because I was playing around with Nginx redirects and the DNS settings, I configured the subdomain to have the same IPv4 & IPv6 as the domain. Could this be the problem or do I have to look somewhere else?
Best regards from Berlin!
I checked the IPv6 address with nslookup and this pointed to somewhere else. I do not understand how this can happen because I never touched the IPv6 (AAAA) record. I guess Certbot is checking A and AAAA and because they did not match the authentication failed.
I deleted the AAAA records for the domain and was able to get a cert without a problem.
Related
I have a website for my podcast built with Python / Django that is hosted on Heroku: https://dinpodcast.herokuapp.com/
I have a custom domain parked on GoDaddy, dinpodcast.com, that has a www CNAME directing to my heroku application. This works just fine: https://www.dinpoddcast.com
I wanted dinpodcast.com to redirect to the www website, so I have the following domain forwarding set up on Godaddy:
This also works great, for the most part. Now, when I enter http://dinpodcast.com, or just dinpodcast.com, both will redirect to https://www.dinpodcast.com.
Here's the problem. When I enter the naked domain WITH HTTPS, so when I enter https://dinpodcast.com into a browser's address bar, I get the following response:
Here's what I THINK is happening. My SSL certificate is provided by Heroku under their Automated Certificate Management program. So, I assume that since I don't have an SSL certificate with GoDaddy, it's timing out trying to find one before it can redirect to my www subdomain. Would this be correct? If so, is there any way around this WITHOUT buying an SSL certificate with GoDaddy? If that's not what's happening, then what is and how do I fix it?
When you create an ssl certificate in your domain do you include your root domain? Tried using this tool in your root domain and it seems that there is no ssl certificate. However the subdomain https://dinpodcast.herokuapp.com/ has one. I suggest putting an ssl certificate in all subdomain and root domain that you are using.
I also checked the root domain’s IP address using this tool and checked port 443 using another tool and apparently the port is closed. Double check your firewall and make sure 443 is open.
I am using the bitnami django on Google Cloud platform stack.
Goal: I want SSL configured on my bitnami stack hosted on Google Cloud. But their toolsudo ./bncert-tool complains "The domain resolves to a different IP address than the one detected for this machine. Please fix its DNS entries or remove it.
I have purchased a domain using google domains.
I have set up google dns to point to the IP address as I see in the bitnami stack. I have enabled mydomain.com and www.mydomain.com to forward to the cloud server ipaddress/home in Google domain name settings
I then tried to run the tool /opt/bitnami/bncert-tool:
sudo /opt/bitnami/bncert-tool
Welcome to the Bitnami HTTPS Configuration tool.
Domains
Please provide a valid space-separated list of domains for which you wish to
configure your web server.
Domain list []: mydomain.com
The following domains were not included: www.mydomain.com. Do you want to add them? [Y/n]: n
Warning: No www domains (e.g. www.example.com) or non-www domains (e.g.
www.example.com) have been provided, so the following redirections will be
disabled: non-www to www, www to non-www.
Press [Enter] to continue:
Warning: The domain 'mydomain.com' resolves to a different IP address than the
one detected for this machine, which is 'aa.bb.ccc.dddd'. Please fix its DNS
entries or remove it. For more info see:
https://docs.bitnami.com/general/faq/configuration/configure-custom-domain/
Press [Enter] to continue:
MY QUESTION:
How do I resolve this? I even tried adding both domains
mydomain.com www.mydomain.com
I want SSL enabled for mydomain.com and www.mydomain.com and not sure where I am going wrong?
Secondy, after the link forwards, how to associate my domain name so that the static IP doesn't keep displaying instead it shows the mapped domain mydomain.com/home
thanks
Suds
$nslookup mydomain
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: mydomain.com
Address: 216.239.32.21
Name: mydomain.com
Address: 216.239.34.21
Name: mydomain.com
Address: 216.239.36.21
Name: mydomain.com
Address: 216.239.38.21
$ nslookup www.mydomain.com
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
www.mydomain.com canonical name = ghs.googlehosted.com.
Name: ghs.googlehosted.com
Address: 172.217.26.179
$ dig +short NS mydomain.com ns-cloud-b1.googledomains.com.
ns-cloud-b2.googledomains.com. ns-cloud-b3.googledomains.com.
ns-cloud-b4.googledomains.com.
$ dig +short NS www.mydomain.com ghs.googlehosted.com.
You may need to change certain settings such as the domain name settings. If using Google Domains, the forwards actually don't integrate the A + Cname to one static IP. I had to physically create A and CName records.
This solved the first issue: What is interesting is one of my domains: mydomain.com is pointing multiple IP address whereas the other is point to different IP depending upon the DNS Server. This was also the one contributing to the error I used to get
when I ran sudo ./bncert-tool "The domain 'mydomain.com' resolves to a different IP address than the one detected for this machine, which is 'aa.bb.ccc.ddd'. Please fix its DNS entries or remove it.
I think physically forced the HTTPS redirection in web server settings. using this rule
/opt/bitnami/apache2/conf/bitnami/bitnami.conf,
Changed RewriteRule ^/(.*) https://example.com/$1 [R,L]
Then I still had some problems where the first hit the URLs will load, the next hit I would 404 errors.
I realized this was an issue with project level settings
opt/bitnami/apps/django/django_projects/Project/conf
sudo vi httpd-app.conf
WSGIScriptAlias /PROJECT '/opt/bitnami/apps/django/django_projects/PROJECT/PROJECT/wsgi.py'
to
WSGIScriptAlias / '/opt/bitnami/apps/django/django_projects/myproject/myproject/wsgi.py'
Then was the issue with ALLOWED HOSTS in settings.py:
Ensure the right ALLOWED HOSTS is updated, the project root or your application root, depending upon where you serve from.
/opt/bitnami/apps/django/django_projects/Project/Project
updated the settings in py here...
ALLOWED_HOSTS in settings.py
I am running nginx and cloudflare. For nginx ssl I use letsencrypt via certbot, which handles the connection from my server to cloudflare. cloudflare itself has an additional certificate, which handles the connections between cloudflare and the website users. The problem is now that I have to pause cloudlfare everytime when I renew letsencrypt:
sudo certbot renew
Else I get an error:
Incorrect validation certificate for tls-sni-01 challenge requested.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Is there another way to auto renew it without pausing cloudflare?
I ran into this before and thought some Cloudflare page rules would help
Rule 1 http://.domain.com/.well-known/acme-challenge/ => cache level = standard
Rule 2 http://*.domain.com/ => Always use HTTPS
This seemed to work fine for all my domains until just today, one of them failed to renew certbot correctly, so I am also interested in anybody else's input.
Log into CloudFlare and go to DNS
You will see an A/AAAA record and if it says Proxied, you need to set it to DNS Only. Then you can go and do certbot renew and it will succeed.
If you go back to Cloudflare you can set it back to Proxied
I've been struggling with the configuration of my DNS app on Heroku. Things I want to accomplish:
www.example.com and example.com , both with SSL config (HTTPS)
Things I tried so far ...
GoDaddy Settings:
CNAME | www | example.com.herokudns.com
FOWARDING to
https://www.example.com
However, this setup is working great with HTTP only, but I'm getting a "Your connection is not private" error when I type the https.
I checked several tutorials and none address this issue.
PS: I'm using the SSL automatically managed from heroku.
SOLVED IT
Getting the naked domain set up with Godaddy easily: Set forwarding to your domain: https://www.my-domain.com. This will redirect non www to the correct place.
With that, I don't actually need to add a second domain in heroku (example.com).
Just keep the www.example.com, turn the SSL on, go to go daddy and redirect. This is working for me so far....
I have a Debian server which is running a number of client sites. Most of these are not running SSL so accessing by HTTP is fine.
I have one customer with an SSL certificate and accessing their site via HTTPS is fine too.
The problem comes if you try to access one of the other sites with HTTPS you get directed to the other site that has the SSL certificate.
For instance, lets say we have the following sites on the server:
alpha.net
bravo.net
charlie.net (SSL)
delta.net
So as you can see, charlie is the only one with SSL, and irrespective of if you go to http charlie.net or https charlie.net, it works fine.
http to all the other sites is fine, but if you were to go to https alpha.net, it will initially come up with an Invalid Certificate error and let you continue but whilst it has alpha.net in the address bar, its actually showing the charlie.net site in the browser.
I have researched SNI and how if any other sites have SSL I'll need to put them all on specific IP addresses (something else I need to try to work out how to do as I have no idea) but I am not sure why this is happening or how I resolve it.
Has anyone else encountered this before and how did you get around it?
Many thanks,
Rob
This does not have anything to do with SNI, as you currently only have one HTTPS server. What happens, as you've stated in your comment, is that the alpha.net domain resolves to your server's IP. Your Apache server is set up to listen for requests on port 443 on this IP, and to serve the contents of charlie.net to these requests. (And the certificate error means that the browser noticed the discrepancy between the certificate's alleged domain name and the domain name used for the request.)
Redirecting from HTTPS to HTTP is probably more trouble that it's worth, since you would need valid certificates for each domain, lest you present your users with another security warning. This would entail creating virtual hosts for alpha.net:443 and so on, on an SNI capable server (i.e., later versions of Apache 2.2+ with openssl), and adding a redirection like so:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
Probably the easiest course for your problem is to use a different IP for charlie.net. With this setup, there would be no way for alpha.net (and so on) to display the contents of another site.
If you have multiple IPs on your server, use a unique one for the SSL site, all non-SSL sites share another IP.
Since SSL doesn't care what is the domain you are visiting, it only cares if the current domain is approved from the list of domains(Common Name) it gets from the Ip address.