Impossible to get SSL with Let's Encrypt on a fresh new installation...

11 posts / 0 new
Last post
#1 Mon, 09/18/2017 - 16:15
guillaume.mda

Impossible to get SSL with Let's Encrypt on a fresh new installation...

Hello,

I have problem to get an Let's encrypt SSL cert for my virtual server / domain.

To explain everything, at first I had Webmin installed on a Debian 9 OS server standalone. I've set up two virtual domains, and thereafter I decided to install Virtualmin. I have read that it's not a so good idea, but I did anyway. The installation finally was fine, and once I tried to add a SSL to my domains, it was working fine (I didn't try before when it was only Webmin installed). But thereafter, I modify too much things, and things bacame not working so good on my server, so I decided to reinstall a fresh new Debian 9 OS wiht LAMP and to install Virtualmin just after. Once it was finished, I've set up a virtual domain, but when I tried to add SSL with Let's encrypt, it was not working... After many tries and modifications, as I found on the internet, to try to resolve the problem, I decided to reinstall - again - my OS, but this time to go with Ubuntu 16.04. But after the fresh new installation of the OS (alone, without LAMP or anything else) and Virtualmin, again, impossible to add a SSL with Let's encrypt...

When I try to get a SSL cert from Let's encrypt, I get this result: Web-based validation failed : Failed to request certificate :

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying domain.ltd...
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 184, in get_crt
    domain, challenge_status))
ValueError: domain.ltd challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'192.xxx.xxx.xxx', u'2a01:c206:2012:8372::1'], u'url': u'http://domain.ltd/.well-known/acme-challenge/RehRKM1t-Q9OsIwVs_bY8TLGEGD6EnPgVyFXtmeB8BA', u'hostname': u'domain.ltd', u'addressesTried': [], u'addressUsed': u'2a01:c206:2012:8372::1', u'port': u'80'}], u'keyAuthorization': u'RehRKM1t-Q9OsIwVs_bY8TLGEGD6EnPgVyFXtmeB8BA.VrFsd3bc5ajzHJ0zDGHhfz-1m2GHbdos5aemqdI-9L4', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/0e2NMC1VdlzI-F_R64iB7Wuu9f1Q-Q6Kx2Xln6cG4UQ/2014175868', u'token': u'RehRKM1t-Q9OsIwVs_bY8TLGEGD6EnPgVyFXtmeB8BA', u'error': {u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://domain.ltd/.well-known/acme-challenge/RehRKM1t-Q9OsIwVs_bY8TLGEGD6EnPgVyFXtmeB8BA: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"'}, u'type': u'http-01'}

.

And: DNS-based validation failed : Failed to request certificate :

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying domain.ltd...
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 184, in get_crt
    domain, challenge_status))
ValueError: domain.ltd challenge did not pass: {u'status': u'invalid', u'keyAuthorization': u'eVMSDcBtiuG16ByC2NL8Kpn8KpyrhdbVq1ccHD9M-C0.VrFsd3bc5ajzHJ0zDGHhfz-1m2GHbdos5aemqdI-9L4', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/NUYeNR73wl7gx00HA5ig6uf3C9_KgD4eLbgPEARDPdA/2014176131', u'token': u'eVMSDcBtiuG16ByC2NL8Kpn8KpyrhdbVq1ccHD9M-C0', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up TXT for _acme-challenge.domain.ltd'}, u'type': u'dns-01'}

So, I've tried a lot of "solutions" what I found on this site or elswhere on the net, but nothing was working... Maybe someone is able to help me and to tell me what is wrong?...

Cheers

Mon, 09/18/2017 - 16:18
Joe
Joe's picture

That looks like DNS simply isn't resolving to your server.

Are you glue records at your registrar correct?

--

Check out the forum guidelines!

Tue, 09/19/2017 - 09:36
guillaume.mda

Hello.

Joe: thanks fo answer. I wanted to argue and answer many things, but I preferred to read your article before: http://inthebox.webmin.com/dns-for-web-hosting-glue-records (which is very good). So, if I understand right the article: I can't use BIND to use as a DNS server if I have only one IP adress... And unfortunately I have only one IP adress (IPv4).

So, I've stopped BIND, and used the DNS hosting of my registrar instead.

But Let's encrypt return again an error message. But maybe, I guess, it's because the time needed to propagate the new DNS across the net, as maybe the DNS are not yet resolve correctly?... (I've checked for SSL cert from Let's encrypt just one hour after switched off BIND and set the DNS hosting of my registrar)

If I make a whois domain.ltd it returns: Temporary failure in name resolution

I will try again tomorrow, and tell you if it's working (I hope!).

Tue, 09/19/2017 - 16:19 (Reply to #3)
noisemarine

If you have the capability to install and administer something like Virtualmin, you have the capability to set up a secondary DNS server. Jump on to a site like LowEndBox or LowEndTalk and pick up a basic 1 or 2Gb OpenVZ VPS for like $10-$20/yr. You can integrate the Webmin component on both so that your Virtualmin updates the secondary whenever you make DNS changes.

Tue, 09/19/2017 - 20:31 (Reply to #4)
Joe
Joe's picture

I've been working on a series of videos about installing Virtualmin on super cheap VMs. Scaleway is the current low-cost ruler with a $3 VM that has 2GB of RAM and 50GB of SSD storage, but several major providers have ~$5 options that would work great for DNS. So far, reliability and performance has been acceptable across all of the ones I've tried (none are stellar, and if system/net/disk performance were a major concern you might still want to colocate or use something higher end, but all of them, so far, are pretty darn good for such a low price).

I agree there's no reason to avoid having a secondary DNS server these days. The options for cheap VMs are just too plentiful and quick to setup.

To host a slave DNS server, you just need to install the bind module and Webmin. We have some docs for that around here somewhere, and I'm thinking about making an install script just for that little bundle of things, maybe pre-configured to act as a slave to a Virtualmin master...would folks find that valuable/useful?

--

Check out the forum guidelines!

Tue, 09/19/2017 - 20:36 (Reply to #5)
Joe
Joe's picture

In my experience, registrars have gotten pretty quick about updates...usually within two to three hours, you should see changes reflected in their DNS (NameCheap refreshes zones every 30 minutes, so the delay is never more than that, and they're a pretty good registrar all around). If it's taking longer than a couple of hours, something is wrong, most likely.

Double check everything at the registrar, and figure out what their name servers are and ask them directly for info about your zone, using the dig command (both dig and host all you to specify which name server to query, so you can say, "Get this information from X name server.", which rules out propagation time as the culprit...you can test your DNS well before propagation has happened).

--

Check out the forum guidelines!

Tue, 09/19/2017 - 11:08
Jfro

Better to set TTL times much lower before switching DNS ;) You don;t have to wait that long then, and making and drinking a cop of coffee, if dns caches are also quick could be enough.

Tue, 09/19/2017 - 11:40
guillaume.mda

Yes, you're right! :)

My DNS TTL are actually set to 86400... :(

Wed, 09/20/2017 - 06:04
guillaume.mda

So, even after DNS propagation, nothing was working. And it didn't resolve other problems (not able to send email, etc.).

So, I decided to reinstall everything once again: OS (this time with Debian 9) and Virtualmin.

On the Post-installation Wizard, the questions about Primary nameserver, I didn't check for "Skip check for resolvibility" and add ns1.nameofmyserver.ltd for the Primary Nameserver, and ns2.nameofmyserver.ltd, ns3.nameofmyserver.ltd for the Secondary nameservers. I set this, as nowhere is clear what we should to put there... When the Post-instalaltion Wizard end, for the Checking Configuration, Virtualmin found that I should to add 127.0.0.1 to the DNS or switched off BIND (I choosed the last choice). Once I've switched off BIND, the Checking Configuaration was ok. I've created a new Virtual Server and try again for Let's Encrypt SSL: and (of course) it was not working! ...

Here is the result:

Parsing account key...
Parsing CSR...
Registering account...
Registered!
Verifying domain.ltd...
Wrote file to /home/USER/public_html/.well-known/acme-challenge/VGf3gqYNOrhA6UhWHxQD-hE9-6Loy267dUgI3Z9kPIY, but couldn't download http://domain.ltd/.well-known/acme-challenge/VGf3gqYNOrhA6UhWHxQD-hE9-6Loy267dUgI3Z9kPIY
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 184, in get_crt
    domain, challenge_status))
ValueError: domain.ltd challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'192.xxx.xxx.xxx', u'2a02:c207:2013:8373::1'], u'url': u'http://domain.ltd/.well-known/acme-challenge/VGf3gqYNOrhA6UhWHxQD-hE9-6Loy267dUgI3Z9kPIY', u'hostname': u'domain.ltd', u'addressesTried': [], u'addressUsed': u'2a01:c206:2012:8372::1', u'port': u'80'}], u'keyAuthorization': u'VGf3gqYNOrhA6UhWHxQD-hE9-6Loy267dUgI3Z9kPIY.S_hsmokK9tTwOh9ReONgW-NW5zzAEn6hszSrbpuQAuQ', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/V_0B1znaW7Ft11WPD8Xqx9iGRdzZeFqnKwe52_sdFWY/2025863177', u'token': u'VGf3gqYNOrhA6UhWHxQD-hE9-6Loy267dUgI3Z9kPIY', u'error': {u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://domain.ltd/.well-known/acme-challenge/VGf3gqYNOrhA6UhWHxQD-hE9-6Loy267dUgI3Z9kPIY: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"'}, u'type': u'http-01'}

.

My DNS are hosting not exactly by my registrar, but by my server provider (the company to which I rent my VPS). When I check on the internet to some DNS resoclution service (like https://mxtoolbox.com), everything seems ok...

So, I still don't know what to do... :(

Wed, 09/20/2017 - 16:03 (Reply to #9)
Joe
Joe's picture

That looks like either DNS is not resolving, or the web server is serving the wrong site.

Can you browse to the address shown in the error above? I mean this bit here: http://domain.ltd/.well-known/acme-challenge/VGf3gqYNOrhA6UhWHxQD-hE9-6Loy267dUgI3Z9kPIY (except with your real domain name)

Can you browse to a test HTML file in the document root of the virtual server in question? If you browse to http://domain.tld/ (and you have an index.html in the public_html directory) you should see that html file. If you don't, it means you're either hitting the wrong IP (so DNS is wrong) or you're hitting the wrong virtual server.

There's a FAQ about the latter problem in the docs labeled The Wrong Site Shows Up

Now this latter problem shouldn't be common with newly installed systems, though...I thought I had addressed most of the common misconfigurations of the system and web server that would lead to this problem. So, if you're still seeing *:80 addresses in your Apache configuration, let me know, as we have some sort of bug somewhere. It really shouldn't happen by accident anymore.

--

Check out the forum guidelines!

Wed, 09/20/2017 - 06:20
Jfro

Virtualmin found that I should to add 127.0.0.1 to the DNS or switched off BIND (I choosed the last choice) Her it worked with the first choice and CENTOS7. third party DNS but BIND installed but not active binddns for the domains feature options set at the virtual-servers themselves. ;)

OYEA very important not to if third party DNS: ns1.nameofmyserver.ltd not but do add ns...nameserver.tld of your thirdparty DNS services!

Topic locked