Error when generating certificate "for some reason could not reach..."

[jorgecuevas92]

I'm getting an issue when trying to get an ssl certificate it says:

for some reason could not reach http:https://example.com/.well-known/acme-challenge/z3aLptRJhGLHBw-Nb_sizrTcCCcGItXRp16vEMVGwlM - please check it manually.

I'm not sure where is the problem, here is the configuration file:

# Uncomment and modify any variables you need
# The staging server is best for testing
#CA="https://acme-staging.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
CA="https://acme-v01.api.letsencrypt.org"
#AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"`
# Set an email address associated with your account - generally set at account level rather than domain. ACCOUNT_EMAIL="[email protected]" ACCOUNT_KEY_LENGTH=4096 ACCOUNT_KEY="/root/.getssl/account.key" PRIVATE_KEY_ALG="rsa"
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=www.example.com
# Acme Challenge Location. The first line for the domain, the following ones for each additional domain. # If these start with ssh: then the next variable is assumed to be the hostname and the rest the location. # An ssh key will be needed to provide you with access to the remote server. # If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location ACL=('/var/www/example.com/web/.well-known/acme-challenge' 'ssh:server5:/var/www/example.com/web/.well-known/acme-challenge' 'ftp:ftpuserid:ftppassword:example.com:/web/.well-known/acme-challenge')
# Location for all your certs, these can either be on the server (so full path name) or using ssh as for the A$
DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt"
DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key"
#CA_CERT_LOCATION="/etc/ssl/chain.crt"
#DOMAIN_CHAIN_LOCATION="" this is the domain cert and CA cert
#DOMAIN_PEM_LOCATION="" this is the domain_key. domain cert and CA cert
# The command needed to reload apache / nginx or whatever you use #RELOAD_CMD="" # The time period within which you want to allow renewal of a certificate # this prevents hitting some of the rate limits. RENEW_ALLOW="30"
# Define the server type. This can either be a webserver, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
#SERVER_TYPE="webserver"
#CHECK_REMOTE="true"
# Use the following 3 variables if you want to validate via DNS #VALIDATE_VIA_DNS="true" #DNS_ADD_COMMAND= #DNS_DEL_COMMAND= #AUTH_DNS_SERVER="" #DNS_WAIT=10 #DNS_EXTRA_WAIT=60`

Hopefully someone here can help with this issue.

[srvrco]

I'm assuming you have modified the config file to correct it for your domain.

The process of obtaining a certificate works by placing a file in http:https://example.com/.well-known/acme-challenge/xxxx where example.com is your domain name and xxxx is a "random" string. getssl then checks (using curl) that it can reach the specified file - in your case it can't

If you create the folder .well-known/acme-challenge and a file (say "test" ) with content "success" in it. can you then reach it in your browser at yourdomain.com/.well-known/acme-challenge/test ?

[jorgecuevas92]

I created the folders and the page is displayed correctly.

You are right, the config is modified for my domain, but only changing the example.com to my domain, what other changes are necessary so that the script works smoothly.

I didn't quite get the ssh and ftp sections of the config file.

[srvrco]

The "ftp / ssh" section of the config file I assume you mean is where you define the ACL ( the acme challenge location ). This should be defined as

ACL=('/var/www/example.com/web/.well-known/acme-challenge'
('/var/www/example.com/web/.well-known/acme-challenge' )

where "'/var/www/example.com/web/.well-known/acme-challenge" is the location where you placed the test file. It's defined twice, once for the domain and the second time for the www.domain (assuming that those are the two FQDNs you want on the certificate. Not knowing your configuration I don't know if this is just "'/var/www/.well-known/acme-challenge" or some other location .... it's whatever it is in your server config.

[sierracircle]

It worked for me if I made the ACL in the root of my web-folder, like this:

ACL=('/var/www/mydomain.com/.well-known/acme-challenge'
          '/var/www/mydomain.com/.well-known/acme-challenge' )

[srvrco]

Correct, it should be your web root, followed by .well-known/acme-challenge ( I just don't know what the web root location on a specific setup )

[sierracircle]

I figured it out quickly, but maybe something like this will clue people in:

ACL=('/path/to/your/website/folder/.well-known/acme-challenge'...

of course, then you will have people complaining that they cannot find a folder called /path/to/your/website/folder

[srvrco]

Good point, thanks :) I'll update the wiki, and change the default comments in the config file.

[jorgecuevas92]

That's much more clear thank you very much!

[eurobob]

This still isn't exactly helpful. Where are you supposed to define the ACL key/value pair?

[srvrco]

Does the wiki help - https://github.com/srvrco/getssl/wiki/Config-variables

The ACME Challenge Location for the domain and each SAN. These are included in quotes, so for a main domain and a single SAN it would look like;

ACL=('/var/www/example.com/web/.well-known/acme-challenge' 'ssh:server5:/var/www/example.com/web/.well-known/acme-challenge')

These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.

You can use "ssh:servername:" at the start of any remote server location that you have ssh access to.

If a location for a file starts with ftp: or sftp: then the next variables are userid:password:servername:path

sftp requires sshpass and can be used for copying certificates and keys.

These are defined in the getssl.cfg file.

[eurobob]

Sorry, no. I'm using Google App Engine, and don't have SSH access. I was trying to use lets encrypt manually and adding the appropriate challenge files in accordance with this thread: certbot/certbot#1480

I was having an issue because i'm trying to generate the certificate on my Macbook to upload to GAE, and once doing the manual challenge verification, it seemed to be having a problem verifying with letsencrypt. I found a thread where you were recommending getssl as a solution to that problem (https://community.letsencrypt.org/t/generate-certificate-on-local-machine/19945)

But I now realise that either SSH or FTP is required in order to add the challenge? Is there any way to do it manually?

[srvrco]

The DNS challenge would be the best ( if you have an API for your dns - then you can automate it.

To complete it manually it would need the script modifying slightly - or there are a couple of alternate clients - https://letsencrypt.org/docs/client-options/ - that can be done via the browser which are completely manual.

[scpkyy]

I am having a similar problem. I have root access to the server and can ssh to the user accounts using their passwords. In the example configuration file below I have named my main server 'somedomain' and the virtual domain 'anotherdomain' When I run ./getssl somedomain.net without the virtual domain the certificate is generated for the main domain but when I add the virtual domain to the file I get 'getssl: for some reason could not reach http:https://anotherdomain.net/.well-known/acme-challenge/[code]'. I have tried sftp with the userid and password in the script with the same result.
If I manually copy the files from home/www/somedomain/.well-known/acme-challenge/ to /home/www/anotherdomain/.well-known/acme-challenge/ the code will show in the URL - so there are no restrictions there.

Here is an example of my script:

Comment and modify any variables you need

see https://github.com/srvrco/getssl/wiki/Config-variables for details

The staging server is best for testing

#CA="https://acme-staging.api.letsencrypt.org"

This server issues full certificates, however has rate limits

CA="https://acme-v01.api.letsencrypt.org"

#AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"

#Set an email address associated with your account - generally set at account level rather than domain.
ACCOUNT_EMAIL="[email protected]"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/root/.getssl/account.key"
PRIVATE_KEY_ALG="rsa"

SANS=www.somedomain.net,anotherdomain.com,www.anotherdomain.com'

ACL=('/home/somedomain/www/.well-known/acme-challenge'
'/home/anotherdomain/www/.well-known/acme-challenge'
'/home/anotherdomain/www/.well-known/acme-challenge'
'ssh:somedomain.net:/home/somedomain/www/.well-known/acme-challenge'
'ssh:[email protected]:/home/anotherdomain/www/.well-known/acme-challenge')

#Enable use of a single ACL for all checks
USE_SINGLE_ACL="true"
#SKIP_HTTP_TOKEN_CHECK="true"

Location for all your certs, these can either be on the server (full path name)

or using ssh /sftp as for the ACL

DOMAIN_CERT_LOCATION="/usr/local/ssl/somedomain.crt"
DOMAIN_KEY_LOCATION="/usr/local/ssl/somedomain.key"
CA_CERT_LOCATION="/usr/local/ssl/somedomain_chain.crt"
#DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
#DOMAIN_KEY_CERT_LOCATION="" # this is the domain_key and domain cert
#DOMAIN_PEM_LOCATION="" # this is the domain_key. domain cert and CA cert

The command needed to reload apache / nginx or whatever you use

RELOAD_CMD="systemctl restart apache2"

The time period within which you want to allow renewal of a certificate

this prevents hitting some of the rate limits.

RENEW_ALLOW="30"

Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,

smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which

will be checked for certificate expiry and also will be checked after

an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true

SERVER_TYPE="https"
CHECK_REMOTE="true"

Use the following 3 variables if you want to validate via DNS

#VALIDATE_VIA_DNS="true"
#DNS_ADD_COMMAND=
#DNS_DEL_COMMAND=
AUTH_DNS_SERVER="nameserver1.somedomain.net nameserver2.somedomain.net"
#DNS_WAIT=10
#DNS_EXTRA_WAIT=60

[jbeima]

I might be able to help you with this one. Now is it okay if I confirm a few things with you first? Your domain name for the certificate, plus all your additional domains in the SAN much match the ACL. There must be a one to one ratio here, it looks to me like you have your "domain" then 3 more in the SAN, but you have what 5 in the ACL? There is an extra one in the ACL. You see GetSSL matches the "common name" domain and each of the SAN entires to the ACL for uploading the verification files. If it can not match them one to one there will be an error which is expected. For debug purposes, switch the script to "staging", since with staging you can run it a million times to debug it. Then once it work, move it back to live. Staging will issue you a non-signed cert, so the entire process can run and even install and restart Apache. Just with an non-signed cert. I am happy to try and help you with this one if you like. John [email protected]

…

On Jan 6, 2017, at 4:49 PM, scpkyy ***@***.***> wrote: I am having a similar problem. I have root access to the server and can ssh to the user accounts using their passwords. In the example configuration file below I have named my main server 'somedomain' and the virtual domain 'anotherdomain' When I run ./getssl somedomain.net without the virtual domain the certificate is generated for the main domain but when I add the virtual domain to the file I get 'getssl: for some reason could not reach http:https://anotherdomain.net/.well-known/acme-challenge/[code]'. I have tried sftp with the userid and password in the script with the same result. If I manually copy the files from home/www/somedomain/.well-known/acme-challenge/ to /home/www/anotherdomain/.well-known/acme-challenge/ the code will show in the URL - so there are no restrictions there. Here is an example of my script: Comment and modify any variables you need see https://github.com/srvrco/getssl/wiki/Config-variables for details The staging server is best for testing #CA="https://acme-staging.api.letsencrypt.org" This server issues full certificates, however has rate limits CA="https://acme-v01.api.letsencrypt.org" #AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" #Set an email address associated with your account - generally set at account level rather than domain. ***@***.***" ACCOUNT_KEY_LENGTH=4096 ACCOUNT_KEY="/root/.getssl/account.key" PRIVATE_KEY_ALG="rsa" SANS=www.somedomain.net,anotherdomain.com,www.anotherdomain.com' ACL=('/home/somedomain/www/.well-known/acme-challenge' '/home/anotherdomain/www/.well-known/acme-challenge' '/home/anotherdomain/www/.well-known/acme-challenge' 'ssh:somedomain.net:/home/somedomain/www/.well-known/acme-challenge' ***@***.***:/home/anotherdomain/www/.well-known/acme-challenge') #Enable use of a single ACL for all checks USE_SINGLE_ACL="true" #SKIP_HTTP_TOKEN_CHECK="true" Location for all your certs, these can either be on the server (full path name) or using ssh /sftp as for the ACL DOMAIN_CERT_LOCATION="/usr/local/ssl/somedomain.crt" DOMAIN_KEY_LOCATION="/usr/local/ssl/somedomain.key" CA_CERT_LOCATION="/usr/local/ssl/somedomain_chain.crt" #DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert #DOMAIN_KEY_CERT_LOCATION="" # this is the domain_key and domain cert #DOMAIN_PEM_LOCATION="" # this is the domain_key. domain cert and CA cert The command needed to reload apache / nginx or whatever you use RELOAD_CMD="systemctl restart apache2" The time period within which you want to allow renewal of a certificate this prevents hitting some of the rate limits. RENEW_ALLOW="30" Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which will be checked for certificate expiry and also will be checked after an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true SERVER_TYPE="https" CHECK_REMOTE="true" Use the following 3 variables if you want to validate via DNS #VALIDATE_VIA_DNS="true" #DNS_ADD_COMMAND= #DNS_DEL_COMMAND= AUTH_DNS_SERVER="nameserver1.somedomain.net nameserver2.somedomain.net" #DNS_WAIT=10 #DNS_EXTRA_WAIT=60 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[jbeima]

I also just noticed... You have USE_SINGLE_ACL set, which means the ACL can only contain one ACL entry. :) So it is trying to use the first one. John [email protected]

…

On Jan 6, 2017, at 4:49 PM, scpkyy ***@***.***> wrote: I am having a similar problem. I have root access to the server and can ssh to the user accounts using their passwords. In the example configuration file below I have named my main server 'somedomain' and the virtual domain 'anotherdomain' When I run ./getssl somedomain.net without the virtual domain the certificate is generated for the main domain but when I add the virtual domain to the file I get 'getssl: for some reason could not reach http:https://anotherdomain.net/.well-known/acme-challenge/[code]'. I have tried sftp with the userid and password in the script with the same result. If I manually copy the files from home/www/somedomain/.well-known/acme-challenge/ to /home/www/anotherdomain/.well-known/acme-challenge/ the code will show in the URL - so there are no restrictions there. Here is an example of my script: Comment and modify any variables you need see https://github.com/srvrco/getssl/wiki/Config-variables for details The staging server is best for testing #CA="https://acme-staging.api.letsencrypt.org" This server issues full certificates, however has rate limits CA="https://acme-v01.api.letsencrypt.org" #AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" #Set an email address associated with your account - generally set at account level rather than domain. ***@***.***" ACCOUNT_KEY_LENGTH=4096 ACCOUNT_KEY="/root/.getssl/account.key" PRIVATE_KEY_ALG="rsa" SANS=www.somedomain.net,anotherdomain.com,www.anotherdomain.com' ACL=('/home/somedomain/www/.well-known/acme-challenge' '/home/anotherdomain/www/.well-known/acme-challenge' '/home/anotherdomain/www/.well-known/acme-challenge' 'ssh:somedomain.net:/home/somedomain/www/.well-known/acme-challenge' ***@***.***:/home/anotherdomain/www/.well-known/acme-challenge') #Enable use of a single ACL for all checks USE_SINGLE_ACL="true" #SKIP_HTTP_TOKEN_CHECK="true" Location for all your certs, these can either be on the server (full path name) or using ssh /sftp as for the ACL DOMAIN_CERT_LOCATION="/usr/local/ssl/somedomain.crt" DOMAIN_KEY_LOCATION="/usr/local/ssl/somedomain.key" CA_CERT_LOCATION="/usr/local/ssl/somedomain_chain.crt" #DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert #DOMAIN_KEY_CERT_LOCATION="" # this is the domain_key and domain cert #DOMAIN_PEM_LOCATION="" # this is the domain_key. domain cert and CA cert The command needed to reload apache / nginx or whatever you use RELOAD_CMD="systemctl restart apache2" The time period within which you want to allow renewal of a certificate this prevents hitting some of the rate limits. RENEW_ALLOW="30" Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp, smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which will be checked for certificate expiry and also will be checked after an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true SERVER_TYPE="https" CHECK_REMOTE="true" Use the following 3 variables if you want to validate via DNS #VALIDATE_VIA_DNS="true" #DNS_ADD_COMMAND= #DNS_DEL_COMMAND= AUTH_DNS_SERVER="nameserver1.somedomain.net nameserver2.somedomain.net" #DNS_WAIT=10 #DNS_EXTRA_WAIT=60 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[scpkyy]

Thank you for your reply, John. In the end I used certbot with the 'certonly' parameter from the command line and that generated a certificate for all the sites on the server. But I would like to understand where I went wrong with the getssl script. I had used many variations that included both use_single_acl off and on as well as the ACL list including the domain plus additional domains. My (mis?)understanding was that there also had to be an ssh directive for each of the additional sites. So are you saying that the ssh directives are not required if the site directive is listed as eg; '/home/somedomain/www/.well-known/acme-challenge'? In other words the ssh directive is an alternative? In retrospect that seems logical.

[jbeima]

With the ACL... From your example you had 4 URLs/Domains. However the ACL had 5 entries in it. So the last one would of never been used, only the first 4 and they would of been matched 1-1, 2-2, 3-3, and 4-4. Then the 5th one dropped. When you selected SINGLE_ACL it would only use the 1st ACL entry for all 4 domain entries. Ignoring the last 4. Make a little more sense? :) If you look also, the first 3 have no ssh/sftp information to them. They are simply paths on the current server. Each of your ACL entries must contain how to connect for each of the matching domain entries. Hence the 4 domains can all be located in 4 different locations. Matched to ACL entires 1-1 or Many-to-one. This is what I >believe< was going on, from what I was seeing. John

…

On Jan 6, 2017, at 8:02 PM, scpkyy ***@***.***> wrote: Thank you for your reply, John. In the end I used certbot with the 'certonly' parameter from the command line and that generated a certificate for all the sites on the server. But I would like to understand where I went wrong with the getssl script. I had used many variations that included both use_single_acl off and on as well as the ACL list including the domain plus additional domains. My (mis?)understanding was that there also had to be an ssh directive for each of the additional sites. So are you saying that the ssh directives are not required if the site directive is listed as eg; '/home/somedomain/www/.well-known/acme-challenge'? In other words the ssh directive is an alternative? In retrospect that seems logical. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[srvrco]

So are you saying that the ssh directives are not required if the site directive is listed as eg; '/home/somedomain/www/.well-known/acme-challenge'? In other words the ssh directive is an alternative? In retrospect that seems logical.

Correct. From the wiki - https://github.com/srvrco/getssl/wiki/Config-variables

The ACME Challenge Location for the domain and each SAN. These are included in quotes, so for a main domain and a single SAN it would look like;

ACL=('/var/www/example.com/web/.well-known/acme-challenge' 'ssh:server5:/var/www/example.com/web/.well-known/acme-challenge')

These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.

You can use "ssh:servername:" or "ssh:user@servername:" at the start for any remote server location that you have ssh access to.

If a location for a file starts with ftp: or sftp: then the next variables are userid:password:servername:path

sftp requires sshpass and can be used for copying certificates and keys.

If the tokens need to be copied to more than one location, then separate each location with a semi-colon.

[PersephoneQueenOfFlowers]

Hey all, sorry a bit late to the convo.

For some reason, I'm getting the same "for some reason could not reach..." error as above, and "Please check manually"

When I check the url manually, the file is there in the public url in the browser. So... not sure why if I can hit the url manually, getssl would not be able to from the script. Copying my ***.com/getssl.cfg file for reference. I verified that the path to the acme-challenge folder is correct on my web server by sshing in using that directory path.

.getssl/example.com/.getssl.cfg

vim: filetype=sh

This file is read second (and per domain if running with the -a option)

and overwrites any settings from the first file

Uncomment and modify any variables you need

see https://github.com/srvrco/getssl/wiki/Config-variables for details

see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs

The staging server is best for testing

CA="https://acme-staging-v02.api.letsencrypt.org"

This server issues full certificates, however has rate limits

#CA="https://acme-v02.api.letsencrypt.org"

Private key types - can be rsa, prime256v1, secp384r1 or secp521r1

PRIVATE_KEY_ALG="rsa"

Additional domains - this could be multiple domains / subdomains in a comma separated list

Note: this is Additional domains - so should not include the primary domain.

SANS="www.example.com"

Acme Challenge Location. The first line for the domain, the following ones for each additional domain.

If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.

An ssh key will be needed to provide you with access to the remote server.

Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.

If left blank, the username on the local server will be used to authenticate against the remote server.

If these start with ftp:/ftpes:/ftps: then the next variables are ftpuserid:ftppassword:servername:ACL_location

These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"

where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.

ftp: uses regular ftp; ftpes: ftp over explicit TLS (port 21); ftps: ftp over implicit TLS (port 990).

ftps/ftpes support FTPS_OPTIONS, e.g. to add "--insecure" to the curl command for hosts with self-signed certificates.

You can also user WebDAV over HTTPS as transport mechanism. To do so, start with davs: followed by username,

password, host, port (explicitly needed even if using default port 443) and path on the server.

Multiple locations can be defined for a file by separating the locations with a semi-colon.

ACL=( 'www/example.com/.well-known/acme-challenge'
'ssh:[email protected]:/www/example.com/.well-known/acme-challenge')

'ssh:[email protected]:/www/example.com/.well-known/acme-challenge')

'ftp:ftpuserid:ftppassword:example.com:/web/.well-known/acme-challenge'

'davs:davsuserid:davspassword:{DOMAIN}:443:/web/.well-known/acme-challenge'

'ftps:ftpuserid:ftppassword:example.com:/web/.well-known/acme-challenge'

'ftpes:ftpuserid:ftppassword:example.com:/web/.well-known/acme-challenge')

Specify SSH options, e.g. non standard port in SSH_OPTS

(Can also use SCP_OPTS and SFTP_OPTS)

SSH_OPTS=-p 12345

Set USE_SINGLE_ACL="true" to use a single ACL for all checks

USE_SINGLE_ACL="true"

Preferred Chain - use an different certificate root from the default

This uses wildcard matching so requesting "X1" returns the correct certificate - may need to escape characters

Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"

Production options are: "ISRG Root X1" and "ISRG Root X2"

#PREFERRED_CHAIN="(STAGING) Pretend Pear X1"

Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)

#FULL_CHAIN_INCLUDE_ROOT="true"

Location for all your certs, these can either be on the server (full path name)

or using ssh /sftp as for the ACL

DOMAIN_CERT_LOCATION="/etc/ssl/example.com.crt" # this is domain cert
DOMAIN_KEY_LOCATION="/etc/ssl/example.com.key" # this is domain key
CA_CERT_LOCATION="/etc/ssl/chain.crt" # this is CA cert
#DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
#DOMAIN_PEM_LOCATION="" # this is the domain key, domain cert and CA cert

The command needed to reload apache / nginx or whatever you use.

Several (ssh) commands may be given using a bash array:

RELOAD_CMD=('ssh:[email protected] reload httpd' 'logger getssl for server5 efficient.')
#RELOAD_CMD=""

Uncomment the following line to prevent non-interactive renewals of certificates

#PREVENT_NON_INTERACTIVE_RENEWAL="true"

Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,

smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which

will be checked for certificate expiry and also will be checked after

an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true

SERVER_TYPE="https"
CHECK_REMOTE="true"
CHECK_REMOTE_WAIT="2" # wait 2 seconds before checking the remote server

########### eof ###########

The error reads:

1) Registering account
2) Verify each domain
3) Verifying webappsbysephe.com
4) copying challenge token to /var/www/example.com/.well-known/acme-challenge/0nvBSZKKxInd2dEeOfzDn63OoTHVlvY4_dNzi9YKgUg
5) getssl: for some reason could not reach http:https://example.com/.well-known/acme-challenge/0nvBSZKKxInd2dEeOfzDn63OoTHVlvY4_dNzi9YKgUg - please check it manually

If I manually visit
http:https://example.com/.well-known/acme-challenge/0nvBSZKKxInd2dEeOfzDn63OoTHVlvY4_dNzi9YKgUg

Note: If I ssh from my machine, a password is required; but I don't see a place in an ssh chain to include a password; also, I can visit the file on www without a password.

I see the file contents there. Any ideas much appreciated!

[timkimber]

Hi @TheSethness

Can you execute this command on the host where you are running getssl and let me know what output you get

curl --user-agent "getssl/v2.47" --insecure --location http:https://example.com/.well-known/acme-challenge/0nvBSZKKxInd2dEeOfzDn63OoTHVlvY4_dNzi9YKgUg

[PersephoneQueenOfFlowers]

Hi @TheSethness

Can you execute this command on the host where you are running getssl and let me know what output you get

curl --user-agent "getssl/v2.47" --insecure --location http:https://example.com/.well-known/acme-challenge/0nvBSZKKxInd2dEeOfzDn63OoTHVlvY4_dNzi9YKgUg

Hi @timkimber, thanks for your reply. Sure. The response from the copied command (with my domain in place of "example.com") is the contents of that acme challenge file. The curl works as expected.

correct output of the file at that url and path within my file system

[githubRover]

with my domain in place of "myWebsite.com"

myWebsite.com is a valid domain (although apparently not yours)

When posting example domains / URL's you shouldn't use someone else's domain. Using example.com is good substitute if you won't post your own name.

[PersephoneQueenOfFlowers]

Hey @githubRover much appreciated! I updated the original comment to reflect example.com. :)

[timkimber]

@TheSethness

The code looks like this:

if [[ ! "$(curl ${_NOMETER} --user-agent "$CURL_USERAGENT" --insecure --silent --location "$wellknown_url")" == "$keyauthorization" ]]; then
    error_exit "for some reason could not reach $wellknown_url - please check it manually"
fi

As the manual check works, I don't see anything that could not be working.

Here's what I think is happening.

1. From reading your config file above, you are using a mix of urls and IP addresses to setup the certificate (e.g. the ssh commands all use IP addresses).
2. doing a reverse lookup on the IP address returns something that looks like a shared hosting provider
3. when doing a http/https request, the web server at the shared hosting provider uses the url to identify the website to return, if you are passing the IP address (or if one of the domains in the certificate doesn't have the correct DNS entry), it doesn't know which website to use so returns the hosting provider website.
4. Hence the getssl sanity check that the token has been copied fails

There are two solutions

1. use the hostname everywhere you can/update the DNS entries for the hosts in the certificate, except the ssh calls (you can use ssh:login@sharedhostingprovider instead of the IP address, but it doesn't matter)
2. set SKIP_TOKEN_CHECK_WAIT=true in getssl.cfg

[PersephoneQueenOfFlowers]

Thanks for this advice, Tim. It seems to have allowed for some progress. I'm getting a new error message now that I'm working on. :)
getssl: problem copying file to the server using scp.

Edit:
Now I have the console message when running the getssl application that the certificate is valid as follows:
example.com: certificate is valid for more than 30 days (until May 26 06:06:19 2023 GMT)

However when I attempt to visit the site, the browser still tells me it's not secure. I did make sure that the links from the site are all https. Safari shows a lock on it and that it's valid, but Chrome not secure. Oy.

This is the site.
https://www.webappsbysephe.com