AWS cert-auto installation - 404 and insult to injury

My domain is:

I ran this command: sudo /usr/local/bin/certbot-auto certonly -d --webroot -w /var/www/html

It produced this output: Cleaning up challenges
Some challenges have failed.


My web server is (include version): Apache/2.4.41 (Amazon)

The operating system my web server runs on is (include version): Amazon Linux AMI 2018.03

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.1.0

It appears that the script doesn’t create a .well-known or acme-challenge directory, nor does it create the random file it checks, and thus generates a 404.

As to the insult to injury, now apparently because of the script failures I have hit Let’s Encrypt’s rate limit (which seems a bit wonky, since I’m not actually successfully creating a certificate,) and thus I cannot continue testing.

Not to sound like an old curmudgeon, but can’t a fella get a download of the certificate vs. jumping through certbot land, at least as a temporary fix?

How very frustrating.

1 Like

Are you sure that is your webroot for domain:

Testing is to be done on the TESTING environment (--staging)
No wonder you hit a rate limit !

1 Like

Yep, that’s the webroot.

Yeah, the --staging flag would have definitely been useful. Wish I’d known about it!

1 Like

Thanks for the --staging tip, but I’m still in the same boat. Even using sudo, certbot-auto doesn’t seem to create the folders or the document needed.

1 Like

Apache can be somewhat… “difficult” to troubleshoot.
Especially when things appear to be running as expected.

Let’s review the basics.
Please show:
apachectl -S
and the vhost config for domain:

1 Like

apachectl -S:

VirtualHost configuration:

*:443 ip-172-31-82-254.ec2.internal (/etc/httpd/conf.d/ssl.conf:56)

ServerRoot: “/etc/httpd”

Main DocumentRoot: “/var/www/html/”

Main ErrorLog: “/etc/httpd/logs/error_log”

Mutex proxy: using_defaults

Mutex authn-socache: using_defaults

Mutex ssl-cache: using_defaults

Mutex default: dir="/var/run/httpd/" mechanism=default

Mutex mpm-accept: using_defaults

Mutex cache-socache: using_defaults

Mutex authdigest-opaque: using_defaults

Mutex watchdog-callback: using_defaults

Mutex proxy-balancer-shm: using_defaults

Mutex rewrite-map: using_defaults

Mutex ssl-stapling-refresh: using_defaults

Mutex authdigest-client: using_defaults

Mutex ssl-stapling: using_defaults

PidFile: “/var/run/httpd/”



User: name=“webapp” id=498 not_used

Group: name=“webapp” id=496 not_used

vhost config (comments removed because of formatting issues :slight_smile: )

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLHonorCipherOrder on

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars

<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars

BrowserMatch “MSIE [2-5]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”

1 Like

An additional complication is that this is a Laravel app, which is rewriting requests from /var/www/html to /var/www/html/public - not sure if that’s causing issues or not.

1 Like

Hi @techguy12

then you have to use that directory in your command.

Create the two subdirectories


there a file (file name 1234), then check, if you can load that file via

That must work if the webroot is correct.

1 Like

Apachectl only shows port 443
Where is the port 80?

1 Like

Short answer: switched from AWS to a more “standard” ISP, ran certbot on a fresh install, and it ran like a top. I appreciate the help, everyone!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.