Can't Create Cert on Ubuntu EC2 Server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dns.faithworks.tech

I ran this command: certbot certonly --manual

It produced this output:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: dns.faithworks.tech
Type: unauthorized
Detail: 44.204.76.3: Invalid response from http://dns.faithworks.tech/.well-known/acme-challenge/ROF2Gj8JJBZh1oJ1ygYUVdlXdL8GQK37mKyL4s_AR9k: 404

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

My web server is (include version): lighttpd 1.4.74

The operating system my web server runs on is (include version): Ubuntu 24.04 LTS

My hosting provider, if applicable, is: AWS-EC2 Instance

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Did you follow the instructions of the manual authenticator? And if so, how exactly?

I will be quite honest with you, I am new to certbot. I am following instructions on an article to add an SSL cert to PiHole, Add LetsEncrypt SSL certificate to Pi-hole • NetWeaver

The article was written for commands on CentOS but I've adapted them for Ubuntu. I got about a quarter down the page and ran the certbot certonly --manual command and followed the prompts there. For the domain name, I used dns.faithworks.tech.

Is /var/www/html/, which is used in that guide, also the path where the files for your site hosted by lighttpd reside? (Currently just the welcome page it seems.)

There is another folder in that path, admin, which contains all the files. Would I need to repeat the setup under the admin folder?

That doesn't seem to be necessary, as I can also see that /admin/ page if I go to it.

What's the output of:

ls -l /var/www/html/.well-known/acme-challenge/

?

Nothing. "total 0"

Where did the file go which you should have made according to the guide?

I have no idea. It appears that it isn't getting created. As I said, I am new to Let's Encrypt and not all that seasoned in Ubuntu.

I did look at the log, /var/log/letsencrypt/letsencrypt.log. I've attached it.
certbot.txt (18.0 KB)

Did you follow these instructions when certbot asked you to?

2024-09-30 14:11:45,573:DEBUG:certbot._internal.display.obj:Notifying user: Create a file containing just this data:

7-PPXAzmvYfoeO6ZSY_KRIc6SV1DZCEZZnLdabFNRdA.7ZSLt2UBdWazhGBZ-losSCHNgqjRRcizsxLwbazRd0U

And make it available on your web server at this URL:

http://dns.faithworks.tech/.well-known/acme-challenge/7-PPXAzmvYfoeO6ZSY_KRIc6SV1DZCEZZnLdabFNRdA

i.e. it was your responsibility to create that file (named 7-PPXAzmvYfoeO6ZSY_KRIc6SV1DZCEZZnLdabFNRdA) with that long string as its content.

Having said that, using LE services this way (--manual) is strongly discouraged. Look into using --webroot instead.

1 Like

But if you followed the guide, YOU made the file, right? As in, the guide asked you to do just that, starting with the instructions:

Use nano to make the file of the name provided by certbot:

Right?

Also, I'm quite puzzled why that guide makes you do all those manual steps and why it doesn't simply use the webroot authenticator...

Can you please try:

sudo certbot certonly --webroot -w /var/www/html/ -d dns.faithworks.tech

(There really are some terrible, terrible guides out there, written by people who just don't understand what they're doing and/or dealing with..)

1 Like

Ah, there was the problem. I was COMPLETELY misreading the fact that it was telling me to create the file in both the article and the commands.

I am all for blaming my own incompetence here :slight_smile:

I ran the command you just specified and it worked!!

1 Like

Yeah the webroot method is a better solution instead of the manual method if you already have a running webserver on the same host. Not sure why that guide would choose such an elaborate method.

Another advantage of the webroot method is that you can simply run sudo certbot renew to renew the certificate, which usually already runs in the background!

Unfortunately I'm not familiar with lighttpd. Because if the certificate gets renewed, usually the webserver needs a reload or even restart to pick up the renewed certificate. This "reload command" can be added to Certbots --deploy-hook. You can add a deploy hook using the reconfigure subcommand. See reconfigure subcommand for info about the reconfigure subcommand and deploy hook for the --deploy-hook subcommand.

2 Likes