Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ofornecedor.com.br
Waiting for verification…
Challenge failed for domain ofornecedor.com.br
http-01 challenge for ofornecedor.com.br
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): Apache 2
The operating system my web server runs on is (include version): Ubuntu 16.04
My hosting provider, if applicable, is: Amazon
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): EC2
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0
ubuntu@ip-*:/opt/letsencrypt$ sudo certbot certonly --webroot --webroot-path /var/www/html --renew-by-default -d ofornecedor.com.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ofornecedor.com.br
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ofornecedor.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ofornecedor.com.br/.well-known/acme-challenge/7WtKknHY_RpIX9R1PilXvvAt15rEvVAmz5RAzH1Oj84 [54.232.236.70]: 404
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: ofornecedor.com.br
Type: unauthorized
Detail: Invalid response from
http://ofornecedor.com.br/.well-known/acme-challenge/7WtKknHY_RpIX9R1PilXvvAt15rEvVAmz5RAzH1Oj84
[54.232.236.70]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My Virtualhost file was the issue. I was able to create the certifications.
ubuntu@ip-*:/etc/apache2/sites-available$ sudo certbot certonly --webroot --webroot-path /var/www/html --renew-by-default -d ofornecedor.com.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ofornecedor.com.br
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ofornecedor.com.br/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ofornecedor.com.br/privkey.pem
Your cert will expire on 2019-08-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
But one problem you may not solve: This Amazon proxy system
Chain - too much certificates, don't send root certificates
1 CN=ofornecedor.com.br
2 CN=Amazon, OU=Server CA 1B, O=Amazon, C=US
3 CN=Amazon Root CA 1, O=Amazon, C=US
4 CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, C=US, ST=Arizona
sends the root certificate (4), that’s too much. Servers should only send the own and the required intermediate certificates. Selecting the root is a client thing.