For DNS purposes I believe www and non www resolve differently, and Let’s Encrypt would treat those as unique domains. Typically you would set up your A records to resolve the domain with the www and then use a CNAME to forward www to non-www. Unless you really love www then you might want to swap that.
Just to be clear your “my_domain.org” is not the actual domain you are using correct?
I would like to know why my set up should be different from his. I’m just not familiar with so much of the terminology. Could you clarify a little bit about why Ryan’s set up would be different than mine, given my particular issue?
ps) yes, I was just using placeholders in the previous post
my_domain.org is a domain. That’s what you register with an isp.
www.my_domain.org is a subdomain and you can (probably) create whatever of those you want if your isp allows it.
For anyone to find that domain and subdomains, they need a dns record. Those come in many flavours. Two flavours are A records and CNAME records.
A records map a domain or subdomain to an ip address.
CNAME records act like aliases. If a subdomain needs to point at the same ip address as another subdomain, you might create one A record and then use CNAME records for the others. That way, you o ly have to change one record if the address changes.
You could use multiple A records mapping to the same address and it will work fine. It’s just more effort if the address changes.
Many domains set an A record at the domain level pointing to a Web server and create a www subdomain with a CNAME record. That way, users typing either in their browser end up at the same website.
SSL certificates are choosy about what domains and subdomains they are valid for and they treat the two as separate beings.
It’s possible that a certificate will handle both levels but you ha e to explicitly define that when you create the certificate. By default, they often only handle one.
So, your certificate needs to match precisely the subdomains you type into your browser. Even if you correctly use A and CNAME records to map multiple domains and subdomains to the correct address, your certificate might only be valid for one of those.
I’ve been following the instructions on letsencrypt.
They recommend using the Certbot ACME client.
I followed the Certbot instructions on their site. When Certbot tries to issue me a certificate with:
sudo certbot certonly --standalone
I get the following error:
(env) me@azure_vm:~$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): my_domain.org
Requesting a certificate for my_domain.org
Performing the following challenges:
http-01 challenge for my_domain.org
Waiting for verification...
Challenge failed for domain my_domain.org
http-01 challenge for my_domain.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: my_domain.org
Type: connection
Detail: Fetching
http://my_domain.org/.well-known/acme-challenge/...:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I just purchased the domain name yesterday afternoon so perhaps I just need time. I am certainly trying to figure this out but if anything else comes to mind please let me know if you have a second.
If there is no app (or website or really anything that loads and returns HTTP 200) currently available at that domain then Let’s Encrypt won’t issue the certificate.
If you want to “hack” the certificate you could spin up a quick Apache server and use the standard html file it generates to get the certificate. But then you would need to remove Apache and ensure it isn’t stuck on port 80 or 443.
Have you been able to launch the app without SSL? Just to see if the domain is actually working
Here is a yml file of an app that is working currently.
Note: I added the second origin just because it seemed like I should. I have no idea if this is doing anything and it’s there because I thought it would help Let’s Encrypt issue another certificate for the sub domain, which it didn’t seem to. I tried using two A records like in Ryans tutorial, but then SSL wasn’t working on www.
My DNS records are:
A record for root (@) to the server IP
CNAME from www to root
This isn’t the only way to do this, but it worked for me.
So this is probably a stupid question but when I go to the domain (type it in the address bar) that I purchased, I just get a timeout since there’s nothing there. Based on your comment, that is not what I should expect right?
Do you have the Anvil app running without SSL currently on the IP that the domain is pointing to?
I do believe that a website or something needs to load for Let’s Encrypt to issue a certificate. I’m guessing the way this works for Anvil’s integration is that the app server is launched, then the Let’s Encrypt bot checks the challenges. After everything passes the certificate is updated and the setup tool updates the built-in web server config.
I’m making educated guesses mostly based on my experience with web servers and also with setting up an Anvil app.
Have you been able to get the app server to work on that domain even without SSL?
I don’t think I’ve tried to get it working without SSL as far as I understand.
I will have to resarch how to do that.
I did however try starting a new VM. Last time I chose Ubuntu 18 accidently. This time I chose Ubuntu 20 (just as Ryan did). I followed the same steps (but added a CNAME as suggested) and now when I run:
The command line comes back to my control and no web server starts up (I think that is the right terminology).
I think this might be progress but I’m not sure
EDIT: I can also see that despite my network security rule, the machine is not listening on port 443 when I check with sudo lsof -i -P -n | grep LISTEN .
The mention in the tutorial about the ports is certainly confusing for those not steeped in the wizardry of sysadmin. By default non-root processes are not allowed to bind to certain ports. However if the port isn’t available to bind to the Anvil app server should give an error to that effect.
For me the command in the tutorial didn’t work (but I think it was a root issue on my machine). This is what I used:
This sets the start point for unprivileged ports on the machine to 0. This basically makes all low numbered ports as unprivileged, hence able to have a non-root service bound to them. Technically this is more permissive than it should be, but realistically this isn’t a big risk unless someone/something can get an account on the machine.
Side note: Here is my horror story, when trying to get my app launched and properly configured it took me about 12 hours from start to finish. I probably tried hundreds of permutations. It’s still a new open source package and there are definitely some rough edges for sure.
I really appreciate this. I’m still trying and learning a lot along the way. I’ve deleted and remade the VM and followed the tutorial a few times now. I feel closer despite it not working quite yet.
I’m looking forward to trying the command you just shared!
After running the certbot commands, I got the following reassuring print out:
Congratulations! Your certificate and chain have been saved at:
…
Your key file has been saved at:
…
Your certificate will expire on … To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run “certbot renew”
I believe that those were the two factors that were interacting to thwart my efforts.
