Hi, I am trying to provision certificates on a server which normally does not run a standard web server. I am trying to use the ‘standalone’ plugin to do so, and I am getting “Error getting validation data” when trying to do the challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version):
None (using the standalone plugin)
The operating system my web server runs on is (include version):
Ubuntu 16.04.6 LTS (Xenial Xerus)
My hosting provider, if applicable, is:
Running in AWS
My domain is mapped using a CNAME record to the DNS of a network load balancer with a listener to forward TCP on port 80 to my instances.
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
I’m rather unclear on what anything on that page really means. If I’m running a standalone server, wouldn’t I expect bad HTTP responses when I’m not running the certbot because the standalone server only runs when I run certbot? Is that not the case?
I expect port 443 to result in an unsigned certificate error because I have port 443 on my load balancer being forwarded to a different port on my instance, which serves an HTTPS only application with a self-signed cert (my eventual goal is to replace these with Let’s Encrypt certs).
My idea here is that incoming connections to port 443 are forwarded to my application on another port, and incoming connections to port 80 are forwarded to port 80 on my server, which I expect to work only when I am running the standalone server for certificate renewal purposes.
Do you have any suggestions on how I might troubleshoot the problem on port 80, rather than going through port 443? I just can’t figure out what the problem could be or how I would even figure that out.
For further information, here’s the final response I get back when running the challenge with verbosity turned on:
I definitely don’t have anything on port 80. I did when I first tried this and got a bind error, but then I shut down the service listening on port 80 and started getting the current error.
I tried an experiment and got some more information. Specifically, I changed the Route 53 DNS record from a CNAME record pointing to my Network Load Balancer to an A record pointing directly to the public IP address for my server, and I can provision certificates with that setup.
So it seems to be a problem going through the network load balancer, but I definitely have port forwarding set up. My forwarding on port 80 looks exactly the same as my forwarding with port 443, and I know port 443 is forwarded because network load balancers run on layer 4 (TCP protocol), meaning that’s the only way I’d get an untrusted certificate error since the load balancer doesn’t have a certificate of its own.
All the issues I can think of that might possibly cause this fall into two categories:
The chain of communication between Let’s Encrypt servers, my network load balancer, and my instance breaks down at some point
The Challenge, for some reason, doesn’t like the fact that the IP that the DNS name resolves to (the network load balancer) doesn’t match the IP that the server uses directly (the instance IP, either public or private). Note in my last response that the fields “addressesResolved” and “addressUsed” correspond to my network load balancer and not my instance.
Any suggestions on how I might tell which of these is the issue, and assuming it’s the first one, how I might go about troubleshooting where exactly the issue is?