We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Do I need the DNS server?
Do I need the DNS server?
Hi,
This is really getting frustrating. I've spent the whole day so far trying to get LetsEncrypt to work :( I currently have the nameservers pointing to ns1.linode.com and ns2.linode.com, as that is where my server is.
I can't seem to get LetsEncrypt to connect though:
Curl connects fine though from the same server:
Pinging of the domain also works as expected:
Am I doing something wrong?
Also, is it true the DNS stuff is needed for the emails to work? Won't it just work with the 3rd party Nameservers, where I have the MX records set? I'm still a bit new to this, so please bare with me :)
FWIW, I've had to point the site back to its old server, as the customer is complaining :( This is literally the only think holding me up on this domain (I've got everything else going apart from the LetsEncrypt SSL certs, and its so frustrating!)
TIA
Andy
This is really getting frustrating. I've spent the whole day so far trying to get LetsEncrypt to work :( I currently have the nameservers pointing to ns1.linode.com and ns2.linode.com, as that is where my server is.
I can't seem to get LetsEncrypt to connect though:
Code: Select all
root@com:~# sudo letsencrypt certonly -a webroot --webroot-path=/home/rachel/web/cdn.businessofbrands.co.uk/public_html -d businessofbrands.co.uk -d www.businessofbrands.co.uk
Failed authorization procedure. businessofbrands.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to businessofbrands.co.uk, www.businessofbrands.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to businessofbrands.co.uk
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: businessofbrands.co.uk
Type: connection
Detail: Could not connect to businessofbrands.co.uk
Domain: www.businessofbrands.co.uk
Type: connection
Detail: Could not connect to businessofbrands.co.uk
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
root@com:~# ^C
Curl connects fine though from the same server:
Code: Select all
root@com:~# curl http://businessofbrands.co.uk
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
Code: Select all
root@com:~# ping businessofbrands.co.uk
PING businessofbrands.co.uk (213.219.38.44) 56(84) bytes of data.
64 bytes from com.steampunkjunkies.com (213.219.38.44): icmp_seq=1 ttl=64 time=0.062 ms
64 bytes from com.steampunkjunkies.com (213.219.38.44): icmp_seq=2 ttl=64 time=0.204 ms
Also, is it true the DNS stuff is needed for the emails to work? Won't it just work with the 3rd party Nameservers, where I have the MX records set? I'm still a bit new to this, so please bare with me :)
FWIW, I've had to point the site back to its old server, as the customer is complaining :( This is literally the only think holding me up on this domain (I've got everything else going apart from the LetsEncrypt SSL certs, and its so frustrating!)
TIA
Andy
Re: Do I need the DNS server?
If you're pointing your nameservers to Linode then you can use Linode to handle your DNS records. Doing a quick lookup on your domain the records appear to be Ok. You have correct A and AAAA records pointing to your webserver and MX records pointing to Google (G Suite for mail?)
http://viewdns.info/dnsrecord/?domain=b ... ands.co.uk
If this is pointing to a different webserver then just update the A and AAAA (IPv6) records to your new webserver IPs in your Linode DNS manager. Once these are propagated, LetsEncrypt should work fine.
Which part are you getting stuck with?
http://viewdns.info/dnsrecord/?domain=b ... ands.co.uk
If this is pointing to a different webserver then just update the A and AAAA (IPv6) records to your new webserver IPs in your Linode DNS manager. Once these are propagated, LetsEncrypt should work fine.
Which part are you getting stuck with?
Re: Do I need the DNS server?
Thanks for the reply :) I would prefer to use Linodes DNS servers, as it's one less point of failure for the server.
..ie could it be the server is taking over the request , and coming back as a dead connection, due to the fact I've not got any of the DNS stuff setup locally? (i.e on the bind service on the server)
I hate to say it./.. but maybe I need to re-install the server, and this time choose --named no ?
I'm just in the process of setting up a test domain on the server (and old one I have, that I've not used for anything). I think this will be less stressful to get the process correct, instead of working on a live (all be it, low traffic), site.
Thanks!
Andy
The issue I'm having, is with the propagation time. I changed over the DNS IP's (for v4 and v6) this morning, and 4 hours later I was still getting the error:If this is pointing to a different webserver then just update the A and AAAA (IPv6) records to your new webserver IPs in your Linode DNS manager. Once these are propagated, LetsEncrypt should work fine.
It's like it can't see it for some reason. Could the issue be that I told it to install the DNS server when setting up the server originally? This is the settings I used when doing it ( (obviously not with my real email / password :))Detail: Could not connect to businessofbrands.co.uk
Code: Select all
bash vst-install.sh --nginx yes --phpfpm yes --apache no --named yes --remi yes --vsftpd yes --proftpd no --iptables yes --fail2ban yes --quota no --exim yes --dovecot yes --spamassassin yes --clamav yes --mysql yes --postgresql no --hostname com.steampunkjunkies.com --email [email protected] --password 12345
I hate to say it./.. but maybe I need to re-install the server, and this time choose --named no ?
I'm just in the process of setting up a test domain on the server (and old one I have, that I've not used for anything). I think this will be less stressful to get the process correct, instead of working on a live (all be it, low traffic), site.
Thanks!
Andy
Re: Do I need the DNS server?
Ok, so I've got that new domain setup
http://www.steampj.com - works
https://www.steampj.com - what do you get here? I get: "Secure Connection Failed"
I checked the Vesta config for the domain, and it looks good:
Sure enough, the pem/crt/key files all exist in the folder, and its reference to them in snginx.conf , so I'm a bit confused as to why its telling me it's not valid?
Getting closer though!
Thanks
Andy
http://www.steampj.com - works
https://www.steampj.com - what do you get here? I get: "Secure Connection Failed"
I checked the Vesta config for the domain, and it looks good:
Sure enough, the pem/crt/key files all exist in the folder, and its reference to them in snginx.conf , so I'm a bit confused as to why its telling me it's not valid?
Getting closer though!
Thanks
Andy
Re: Do I need the DNS server?
Mmm there must be something not quite right. I have this in snginx.conf for the domain in question:
Those all have contents in. I've tried doing a full reboot of nginx (just in case) .. yet SSL shopper tells me:
Mmmm
Code: Select all
ssl on;
ssl_certificate /home/admin/conf/web/ssl.steampj.com.pem;
ssl_certificate_key /home/admin/conf/web/ssl.steampj.com.key;
https://www.sslshopper.com/ssl-checker. ... teampj.comNo SSL certificates were found on http://www.steampj.com. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server's firewall.
Mmmm
Re: Do I need the DNS server?
Eugh, this is so frustrating! This is my test domain:
http://steampj.com/.well-known/foo.html
That proves the files can be read in that location.
Manually running LetsEncrypt from command line, I get:
Anyway, I'm gonna call it a day and come back to this tomorrow. Any suggestions are much appreciated. I'm clasping at straws here :(
Thanks
Andy
http://steampj.com/.well-known/foo.html
That proves the files can be read in that location.
Manually running LetsEncrypt from command line, I get:
I really don't get it. The online tool actually works... kinda. It creates the certs, and shows stuff like:root@com:/home/admin/web/steampj.com/logs# sudo letsencrypt certonly -a webroot --webroot-path=/home/admin/web/steampj.com/public_html -d steampj.com -d http://www.steampj.com
Failed authorization procedure. http://www.steampj.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [Ydn7JjEAJ_UvwqxNdJ2HJsP6NMjh1F9BDhs8nQ6ICOU.2QADcovxABZdJgE_hANFdkm8ssX7-eFF3jzB22l9Uns] != [Ydn7JjEAJ_UvwqxNdJ2HJsP6NMjh1F9BDhs8nQ6ICOU.1JaOklOWlrl3Z7hSh46OQ16dBWIsXjNwr73DbKI0DOo], steampj.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [GnGOTyqMjBhzBZEbsUW_SLzsJMNlATQevhAEpVG4Gwc.2QADcovxABZdJgE_hANFdkm8ssX7-eFF3jzB22l9Uns] != [GnGOTyqMjBhzBZEbsUW_SLzsJMNlATQevhAEpVG4Gwc.1JaOklOWlrl3Z7hSh46OQ16dBWIsXjNwr73DbKI0DOo]
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: http://www.steampj.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge [Ydn7JjEAJ_UvwqxNdJ2HJsP6NMjh1F9BDhs8nQ6ICOU.2QADcov
xABZdJgE_hANFdkm8ssX7-eFF3jzB22l9Uns] != [Ydn7JjEAJ_UvwqxNdJ2HJsP6N
Mjh1F9BDhs8nQ6ICOU.1JaOklOWlrl3Z7hSh46OQ16dBWIsXjNwr73DbKI0DOo]
Domain: steampj.com
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge [GnGOTyqMjBhzBZEbsUW_SLzsJMNlATQevhAEpVG4Gwc.2QADcov
xABZdJgE_hANFdkm8ssX7-eFF3jzB22l9Uns] != [GnGOTyqMjBhzBZEbsUW_SLzsJ
MNlATQevhAEpVG4Gwc.1JaOklOWlrl3Z7hSh46OQ16dBWIsXjNwr73DbKI0DOo]
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
Code: Select all
SUBJECT: steampj.com
ALIASES: steampj.com,www.steampj.com
NOT_BEFORE: Apr 7 14:22:00 2017 GMT
NOT_AFTER: Jul 6 14:22:00 2017 GMT
SIGNATURE: sha256WithRSAEncryption
PUB_KEY: 4096 bit
ISSUER C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Thanks
Andy
Re: Do I need the DNS server?
I am facing the same issue.
I have multiple users only one user is not able to get connected the letsencrypt
i have tried v-rebuild-web-domains [USER]
but still no success
I have multiple users only one user is not able to get connected the letsencrypt
i have tried v-rebuild-web-domains [USER]
but still no success
Re: Do I need the DNS server?
Hi,
Is this a domain you are moving? Have you ever had LetsEncrypt for that domain?
What TTL do/did you for the A records?
These are all the bits that caught me out. I needed a 5 minute TTL so that when I put the site live, it only took 5 minutes to be able to setup the SSL
Another thing that got me, was the fact I needed to disable SSL on the account (with the self-signed), and then re-enable it after (with LetsEncrypt this time). For some reason, if you try and enable Lets Encrypt while the self-signed certs are enabled, you get a weird error about the ./tmp file.
Anyway, hopefully that helps :)
Cheers
Andy
Is this a domain you are moving? Have you ever had LetsEncrypt for that domain?
What TTL do/did you for the A records?
These are all the bits that caught me out. I needed a 5 minute TTL so that when I put the site live, it only took 5 minutes to be able to setup the SSL
Another thing that got me, was the fact I needed to disable SSL on the account (with the self-signed), and then re-enable it after (with LetsEncrypt this time). For some reason, if you try and enable Lets Encrypt while the self-signed certs are enabled, you get a weird error about the ./tmp file.
Anyway, hopefully that helps :)
Cheers
Andy
Re: Do I need the DNS server?
I have been using
letsencrypt-vesta [user] [domain1] [domain2]
from ssh
but now its not working. Another bug is that my nginx config are ok but still one of the websites is pointing to a server not mentioned in the config. I am using default configs at the moment. This happened to with me earlier as well had to re install everything.
Can you guide me about this situaiton?
letsencrypt-vesta [user] [domain1] [domain2]
from ssh
but now its not working. Another bug is that my nginx config are ok but still one of the websites is pointing to a server not mentioned in the config. I am using default configs at the moment. This happened to with me earlier as well had to re install everything.
Can you guide me about this situaiton?
Re: Do I need the DNS server?
Hi,
I would do it from the admin CP GUI (didn't have any luck with the command line one)
Also, try it with certbot-auto, to see if that works:
(the staging means you can play around with the configs, without hitting rate limits for SSL requests)
This is all still new to me, so I'm sure there are more experienced people out there who could give better advice :)
Cheers
Andy
I would do it from the admin CP GUI (didn't have any luck with the command line one)
Also, try it with certbot-auto, to see if that works:
Code: Select all
/usr/local/letsencrypt/certbot-auto certonly --staging --webroot -w /home/admin/web/yoursite.com/public_html -d yoursite.com -d www.yoursite.com
Mmm sorry, I've not seen that one before. Are you saying the config is pointing to an IP not on the server? Or that when you go to the site, it directs you somewhere else?Another bug is that my nginx config are ok but still one of the websites is pointing to a server not mentioned in the config
This is all still new to me, so I'm sure there are more experienced people out there who could give better advice :)
Cheers
Andy