Cannot Create SSL Certificate for AWS Address

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

fitchek.com (points to EC2 instance on AWS)

I ran this command:

sudo certbot certonly --webroot -w /opt/marketplace/public/wellness -d wellness.fitchek.com

It produced this output:

Failed authorization procedure. wellness.fitchek.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://wellness.fitchek.com/.well-known/acme-challenge/Q4FuWssEdhinSDCaSKxYpG62FfZMHgQ3wqcksb-mWcs [2606:4700:30::681f:429d]: "\n\n<!–[if IE 7]> <html class="no-js "

IMPORTANT NOTES:

My web server is (include version):

nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial

My hosting provider, if applicable, is:

Cloudflare (CNAME record), AWS hosts the code

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.31.0

2

Hi @Nate14

there is already a check of the wellness - subdomain ( https://check-your-website.server-daten.de/?q=wellness.fitchek.com ).

There you see the problem:

Your ip addresses - looks like Cloudflare.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
wellness.fitchek.com A 104.31.66.157 yes 1 0
A 104.31.67.157 yes 1 0
AAAA 2606:4700:30::681f:429d yes
AAAA 2606:4700:30::681f:439d yes
www.wellness.fitchek.com Name Error yes 1 0

And one output checking /.well-known/acme-challenge/unknown-filename:

Visible Content: Error 526 Ray ID: 4c45dec61e9f2d5f &bull; 2019-04-08 17:13:09 UTC Invalid SSL certificate You Browser Working Berlin Cloudflare Working wellness.fitchek.com Host Error What happened? The origin web server does not have a valid SSL certificate. What can I do? If you're a visitor of this website: Please try again in a few minutes. If you're the owner of this website: The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name. Please contact your hosting provider to ensure that an up-to-date and valid SSL certificate issued by a Certificate Authority is configured for this domain name on the origin server. Additional troubleshooting information here. Cloudflare Ray ID: 4c45dec61e9f2d5f &bull; Your IP : 2a01:238:301b::1229 &bull; Performance &amp; security by Cloudflare

You use Cloudflare. But then a working certificate is required. But Cloudflare produces a lot of 526 errors

Origin SSL Certificate Error

So the current certificate of your server is invalid.

Result:

  • use the integrated solution of Cloudflare (or)
  • deactivate Cloudflare, so your A record points to your own ip address, then create a certificate, then activate Cloudflare again

But you can't renew a not working certificate via Cloudflare + http-01 validation.

Or use dns-01 validation (manual) to create one certificate.

1 Like
3

You should be okay if you just exclude /.well-known/acme-challenge/ from the redirect to HTTPS in your Nginx configuration.

E.g.:

location / {
    return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
    # other stuff, or nothing at all
}
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.