Page 1 of 2
Do I need the DNS server?
Posted: Fri Apr 07, 2017 12:42 pm
by youradds
Hi,
This is really getting frustrating. I've spent the whole day so far trying to get LetsEncrypt to work :( I currently have the nameservers pointing to ns1.linode.com and ns2.linode.com, as that is where my server is.
I can't seem to get LetsEncrypt to connect though:
Code: Select all
root@com:~# sudo letsencrypt certonly -a webroot --webroot-path=/home/rachel/web/cdn.businessofbrands.co.uk/public_html -d businessofbrands.co.uk -d www.businessofbrands.co.uk
Failed authorization procedure. businessofbrands.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to businessofbrands.co.uk, www.businessofbrands.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to businessofbrands.co.uk
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: businessofbrands.co.uk
Type: connection
Detail: Could not connect to businessofbrands.co.uk
Domain: www.businessofbrands.co.uk
Type: connection
Detail: Could not connect to businessofbrands.co.uk
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
root@com:~# ^C
Curl connects fine though from the same server:
Code: Select all
root@com:~# curl http://businessofbrands.co.uk
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
Pinging of the domain also works as expected:
Code: Select all
root@com:~# ping businessofbrands.co.uk
PING businessofbrands.co.uk (213.219.38.44) 56(84) bytes of data.
64 bytes from com.steampunkjunkies.com (213.219.38.44): icmp_seq=1 ttl=64 time=0.062 ms
64 bytes from com.steampunkjunkies.com (213.219.38.44): icmp_seq=2 ttl=64 time=0.204 ms
Am I doing something wrong?
Also, is it true the DNS stuff is needed for the emails to work? Won't it just work with the 3rd party Nameservers, where I have the MX records set? I'm still a bit new to this, so please bare with me :)
FWIW, I've had to point the site back to its old server, as the customer is complaining :( This is literally the only think holding me up on this domain (I've got everything else going apart from the LetsEncrypt SSL certs, and its so frustrating!)
TIA
Andy
Re: Do I need the DNS server?
Posted: Fri Apr 07, 2017 1:56 pm
by LouisUK
If you're pointing your nameservers to Linode then you can use Linode to handle your DNS records. Doing a quick lookup on your domain the records appear to be Ok. You have correct A and AAAA records pointing to your webserver and MX records pointing to Google (G Suite for mail?)
http://viewdns.info/dnsrecord/?domain=b ... ands.co.uk
If this is pointing to a different webserver then just update the A and AAAA (IPv6) records to your new webserver IPs in your
Linode DNS manager. Once these are propagated, LetsEncrypt should work fine.
Which part are you getting stuck with?
Re: Do I need the DNS server?
Posted: Fri Apr 07, 2017 2:11 pm
by youradds
Thanks for the reply :) I would prefer to use Linodes DNS servers, as it's one less point of failure for the server.
If this is pointing to a different webserver then just update the A and AAAA (IPv6) records to your new webserver IPs in your Linode DNS manager. Once these are propagated, LetsEncrypt should work fine.
The issue I'm having, is with the propagation time. I changed over the DNS IP's (for v4 and v6) this morning, and 4 hours later I was still getting the error:
Detail: Could not connect to businessofbrands.co.uk
It's like it can't see it for some reason. Could the issue be that I told it to install the DNS server when setting up the server originally? This is the settings I used when doing it ( (obviously not with my real email / password :))
Code: Select all
bash vst-install.sh --nginx yes --phpfpm yes --apache no --named yes --remi yes --vsftpd yes --proftpd no --iptables yes --fail2ban yes --quota no --exim yes --dovecot yes --spamassassin yes --clamav yes --mysql yes --postgresql no --hostname com.steampunkjunkies.com --email [email protected] --password 12345
..ie could it be the server is taking over the request , and coming back as a dead connection, due to the fact I've not got any of the DNS stuff setup locally? (i.e on the bind service on the server)
I hate to say it./.. but maybe I need to re-install the server, and this time choose
--named no ?
I'm just in the process of setting up a test domain on the server (and old one I have, that I've not used for anything). I think this will be less stressful to get the process correct, instead of working on a live (all be it, low traffic), site.
Thanks!
Andy
Re: Do I need the DNS server?
Posted: Fri Apr 07, 2017 2:30 pm
by youradds
Ok, so I've got that new domain setup
http://www.steampj.com - works
https://www.steampj.com - what do you get here? I get: "Secure Connection Failed"
I checked the Vesta config for the domain, and it looks good:
Sure enough, the pem/crt/key files all exist in the folder, and its reference to them in snginx.conf , so I'm a bit confused as to why its telling me it's not valid?
Getting closer though!
Thanks
Andy
Re: Do I need the DNS server?
Posted: Fri Apr 07, 2017 3:24 pm
by youradds
Mmm there must be something not quite right. I have this in snginx.conf for the domain in question:
Code: Select all
ssl on;
ssl_certificate /home/admin/conf/web/ssl.steampj.com.pem;
ssl_certificate_key /home/admin/conf/web/ssl.steampj.com.key;
Those all have contents in. I've tried doing a full reboot of nginx (just in case) .. yet SSL shopper tells me:
No SSL certificates were found on
http://www.steampj.com. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server's firewall.
https://www.sslshopper.com/ssl-checker. ... teampj.com
Mmmm
Re: Do I need the DNS server?
Posted: Fri Apr 07, 2017 4:09 pm
by youradds
Eugh, this is so frustrating! This is my test domain:
http://steampj.com/.well-known/foo.html
That proves the files can be read in that location.
Manually running LetsEncrypt from command line, I get:
root@com:/home/admin/web/steampj.com/logs# sudo letsencrypt certonly -a webroot --webroot-path=/home/admin/web/steampj.com/public_html -d steampj.com -d
http://www.steampj.com
Failed authorization procedure.
http://www.steampj.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [Ydn7JjEAJ_UvwqxNdJ2HJsP6NMjh1F9BDhs8nQ6ICOU.2QADcovxABZdJgE_hANFdkm8ssX7-eFF3jzB22l9Uns] != [Ydn7JjEAJ_UvwqxNdJ2HJsP6NMjh1F9BDhs8nQ6ICOU.1JaOklOWlrl3Z7hSh46OQ16dBWIsXjNwr73DbKI0DOo], steampj.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [GnGOTyqMjBhzBZEbsUW_SLzsJMNlATQevhAEpVG4Gwc.2QADcovxABZdJgE_hANFdkm8ssX7-eFF3jzB22l9Uns] != [GnGOTyqMjBhzBZEbsUW_SLzsJMNlATQevhAEpVG4Gwc.1JaOklOWlrl3Z7hSh46OQ16dBWIsXjNwr73DbKI0DOo]
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain:
http://www.steampj.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge [Ydn7JjEAJ_UvwqxNdJ2HJsP6NMjh1F9BDhs8nQ6ICOU.2QADcov
xABZdJgE_hANFdkm8ssX7-eFF3jzB22l9Uns] != [Ydn7JjEAJ_UvwqxNdJ2HJsP6N
Mjh1F9BDhs8nQ6ICOU.1JaOklOWlrl3Z7hSh46OQ16dBWIsXjNwr73DbKI0DOo]
Domain: steampj.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge [GnGOTyqMjBhzBZEbsUW_SLzsJMNlATQevhAEpVG4Gwc.2QADcov
xABZdJgE_hANFdkm8ssX7-eFF3jzB22l9Uns] != [GnGOTyqMjBhzBZEbsUW_SLzsJ
MNlATQevhAEpVG4Gwc.1JaOklOWlrl3Z7hSh46OQ16dBWIsXjNwr73DbKI0DOo]
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
I really don't get it. The online tool actually works... kinda. It creates the certs, and shows stuff like:
Code: Select all
SUBJECT: steampj.com
ALIASES: steampj.com,www.steampj.com
NOT_BEFORE: Apr 7 14:22:00 2017 GMT
NOT_AFTER: Jul 6 14:22:00 2017 GMT
SIGNATURE: sha256WithRSAEncryption
PUB_KEY: 4096 bit
ISSUER C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Anyway, I'm gonna call it a day and come back to this tomorrow. Any suggestions are much appreciated. I'm clasping at straws here :(
Thanks
Andy
Re: Do I need the DNS server?
Posted: Wed Apr 26, 2017 6:48 am
by m.-ahmad
I am facing the same issue.
I have multiple users only one user is not able to get connected the letsencrypt
i have tried v-rebuild-web-domains [USER]
but still no success
Re: Do I need the DNS server?
Posted: Wed Apr 26, 2017 7:00 am
by youradds
Hi,
Is this a domain you are moving? Have you ever had LetsEncrypt for that domain?
What TTL do/did you for the A records?
These are all the bits that caught me out. I needed a 5 minute TTL so that when I put the site live, it only took 5 minutes to be able to setup the SSL
Another thing that got me, was the fact I needed to disable SSL on the account (with the self-signed), and then re-enable it after (with LetsEncrypt this time). For some reason, if you try and enable Lets Encrypt while the self-signed certs are enabled, you get a weird error about the ./tmp file.
Anyway, hopefully that helps :)
Cheers
Andy
Re: Do I need the DNS server?
Posted: Wed Apr 26, 2017 8:25 am
by m.-ahmad
I have been using
letsencrypt-vesta [user] [domain1] [domain2]
from ssh
but now its not working. Another bug is that my nginx config are ok but still one of the websites is pointing to a server not mentioned in the config. I am using default configs at the moment. This happened to with me earlier as well had to re install everything.
Can you guide me about this situaiton?
Re: Do I need the DNS server?
Posted: Wed Apr 26, 2017 8:33 am
by youradds
Hi,
I would do it from the admin CP GUI (didn't have any luck with the command line one)
Also, try it with certbot-auto, to see if that works:
Code: Select all
/usr/local/letsencrypt/certbot-auto certonly --staging --webroot -w /home/admin/web/yoursite.com/public_html -d yoursite.com -d www.yoursite.com
(the staging means you can play around with the configs, without hitting rate limits for SSL requests)
Another bug is that my nginx config are ok but still one of the websites is pointing to a server not mentioned in the config
Mmm sorry, I've not seen that one before. Are you saying the config is pointing to an IP not on the server? Or that when you go to the site, it directs you somewhere else?
This is all still new to me, so I'm sure there are more experienced people out there who could give better advice :)
Cheers
Andy