Acme-challenge returns a 404

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mx2.koalatyworks.com

I ran this command: sudo certbot certonly --standalone --debug-challenges -v --dry-run

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): mx2.koalatyworks.com
Simulating a certificate request for mx2.koalatyworks.com
Performing the following challenges:
http-01 challenge for mx2.koalatyworks.com


Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://mx2.koalatyworks.com/.well-known/acme-challenge/4rwWX3HDjz48qjb4Zpj__GkuYQVx5jS8Ki46aVMnIHo
Expected value:
4rwWX3HDjz48qjb4Zpj__GkuYQVx5jS8Ki46aVMnIHo.apQzQRyWk2B312CEAj0aG_Gzz7v86ulDmH79_QnjLog

My web server is (include version): standalone

The operating system my web server runs on is (include version): Ubuntu 23.10

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.7.4

You have an nginx server that responds to HTTP requests. Did you stop it before trying to use --standalone? Because standalone requires exclusive use of port 80.

Also, since you have nginx you could just use the --nginx plug-in or --webroot to satisfy the challenge.

Can you explain more what you are trying to do and why you chose --standalone? We can give better advice then.

4 Likes

I'm trying to set up a backup MX server. Nginx is running on my main server, not mx2. Should I stop nginx on the main before running certbot on the backup? Or maybe use the nginx plugin, even though nginx isn't on the backup server?

Your DNS for mx2 has an A record pointing to the same IP as your main nginx server. The Let's Encrypt server uses that IP to make an HTTP request and your nginx responds.

Yes, you can just setup a simple server block in nginx to handle that ACME challenge for mx2. Then copy the cert for your mail server.

You could use the --deploy-hook to copy it. See Certbot docs

Or stop nginx before using standalone but usually people want to avoid that.

5 Likes

So I can run certbot on the main server then just copy the certificates to mx2? Just making sure I understand.

Sure, a cert is just a couple files. Just keep them secure as you would on the main server.

Or, do you need the DNS A record for mx2 to point to your main server? Because if not you could just point that to where mx2 is and run Certbot standalone there. Still though it needs exclusive access to port 80.

5 Likes

Thanks!

3 Likes

I think the IP in DNS will come into play [at some point].

Even if you use the cert on MX2 only for SMTP, anyone trying to reach it would need to know it's IP.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.