Error getting validation data when Installing Certbot on Debian8.7-Jessie Linux

linux debian ssl ssl-certificate

I just set up my Server and I cant get my configuration to work with Certbot. It is always the same. I tried some different configurations but none of them worked. This here is my last attempt. It always says: "Error getting validation data" Does anyone have an idea why this does not work?

Full install:

sudo apt-get update && sudo apt-get upgrade

Ign http://ftp.debian.org jessie InRelease
[...]
Processing triggers for initramfs-tools (0.120+deb8u3) ...
Processing triggers for ca-certificates (20141019+deb8u3) ...
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

sudo apt-get install nano

Reading package lists... Done
[...]
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
[...]
update-alternatives: using /bin/nano to provide /usr/bin/pico (pico) in auto mode

sudo apt install curl

Reading package lists... Done
[...]
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
[...]

sudo mkdir -p /var/www/mydomain.ru/public_html

sudo chown -R root:root /var/www/mydomain.ru/public_html

sudo chmod -R 755 /var/www

nano /var/www/mydomain.ru/public_html/index.html

cd /etc/apache2/sites-available/

/etc/apache2/sites-available# ls

000-default.conf  default-ssl.conf

/etc/apache2/sites-available# cd

sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/mydomain.ru.conf

sudo nano /etc/apache2/sites-available/mydomain.ru.conf

sudo nano /etc/apache2/sites-available/mydomain.ru.conf

sudo a2ensite mydomain.ru.conf
Enabling site mydomain.ru.
To activate the new configuration, you need to run:
  service apache2 reload

sudo a2dissite 000-default.conf
Site 000-default disabled.
To activate the new configuration, you need to run:
  service apache2 reload

sudo a2dissite default-ssl.conf
Site default-ssl already disabled

sudo /etc/init.d/apache2 restart
[ ok ] Restarting apache2 (via systemctl): apache2.service.

sudo nano /etc/apache2/sites-available/mydomain.ru.conf

sudo /etc/init.d/apache2 restart
[ ok ] Restarting apache2 (via systemctl): apache2.service.

sudo nano /etc/apache2/sites-available/mydomain.ru.conf

sudo nano /etc/apt/sources.list

apt-get update
Ign http://ftp.debian.org jessie InRelease
[...]
Reading package lists... Done

sudo apt-get install python-certbot-apache -t jessie-backports
Reading package lists... Done
[...]
0 upgraded, 34 newly installed, 0 to remove and 32 not upgraded.
[...]
Do you want to continue? [Y/n] y
Get:1 http://ftp.debian.org/debian/ jessie-backports/main augeas-lenses all 1.8.0-1~bpo8+1 [422 kB]
[...]
Processing triggers for libc-bin (2.19-18+deb8u10) ...

sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: mydomain.ru
2: www.mydomain.ru
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):[email protected]
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain.ru
tls-sni-01 challenge for www.mydomain.ru
Enabled Apache socache_shmcb module
Enabled Apache ssl module
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
  result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.mydomain.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data, mydomain.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to [email protected].
 - The following errors were reported by the server:

   Domain: www.mydomain.ru
   Type:   connection
   Detail: Error getting validation data

   Domain: mydomain.ru
   Type:   connection
   Detail: Error getting validation data

   To fix these errors, please make sure that your domain name was
[...]
   making regular backups of this folder is ideal.

The changes in my /etc/apache2/sites-available/mydomain.ru.conf

<IfModule mod_ssl.c>
        <VirtualHost mydomain.ru:443>

            ServerAdmin [email protected]
            ServerName mydomain.ru:443
            ServerAlias www.mydomain.ru
            DocumentRoot /var/www/mydomain.ru/public_html

                # Available loglevels: trace8, ..., trace1, debug, info, notice$
                # error, crit, alert, emerg.
                # It is also possible to configure the loglevel for particular
                # modules, e.g.
                #LogLevel info ssl:warn


                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                # For most configuration files from conf-available/, which are
                # enabled or disabled at a global level, it is possible to

Is your apache server available externally (to the greater internet) at the domain of the vhost? When you request a cert, certbot modifies your apache configuration to send a validation token to a special URL on your site (usually /.well-known/acme-challenge/<sometoken>. Then, Let's Encrypt is going to attempt to hit that path using the domain name for which you're requesting a cert. This is how they confirm that you own the domain publicly for which you are requesting a certificate.

If that webserver isn't public or there isn't a public DNS entry matching your vhost pointing to it, Let's Encrypt will not be able to request it's authorization token.


I needed to configure iptables with the following line:

sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT

Related

how to enable http/2 on apache2 using ubuntu 20.04?
Can DNS TXT record broke website? [closed]
subdomain vs subfolder in site address
What IPv4 endpoint should I mention?
sudden "Could not evaluate: Field 'key' is required" errors when generating exported SSH keys
What would happen to our data if our GCP Datacenter goes down?
Required server capabilities for a video platform? [duplicate]
UnicodeDecodeError in Python when reading a file, how to ignore the error and jump to the next line?
Find all the occurrences of a character in a string
ASP.NET 5 project hosting on IIS
How can I detect a SQL table's existence in Java?
Why does a diamond with a questionmark in it � appear in my HTML?