Certbot-auto certonly resulting unauthorized

My domain is: demo.kalki.io
I ran this command: certbot-auto certonly

It produced this output:
Domain: demo.kalki.io
Type: unauthorized
Detail: Invalid response from
https://demo.kalki.io/.well-known/acme-challenge/cLs7sToGblWOw8173vBiC-ISZmo8Klo7xLh91kb8YbI
[3.212.217.80]: 404

My web server is (include version): docker-apache-tomee
requesting certificate for haproxy.
The operating system my web server runs on is (include version): ubuntu 16.04
My hosting provider, if applicable, is: amazon-aws
I can login to a root shell on my machine (yes or no, or I don’t know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot-auto --version -> certbot 0.33.1

/var/log/letsencrypt.log output :
identifier": {
“type”: “dns”,
“value”: “demo.kalki.io
},
“status”: “invalid”,
“expires”: “2019-04-21T10:57:15Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/7r1ofk3lXmWnJ8X1rfr7Dm7CPZguAQ425QMAUB2CyPI/14759832783”,
“token”: “vtf-y93auoTzDyP3nJzyWaalTHMldBk4CCvofR9-LaE”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from https://demo.kalki.io/.well-known/acme-challenge/cLs7sToGblWOw8173vBiC-ISZmo8Klo7xLh91kb8YbI [3.212.217.80]: 404”,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/7r1ofk3lXmWnJ8X1rfr7Dm7CPZguAQ425QMAUB2CyPI/14759832784”,
“token”: “cLs7sToGblWOw8173vBiC-ISZmo8Klo7xLh91kb8YbI”,
“validationRecord”: [
{
“url”: “http://demo.kalki.io/.well-known/acme-challenge/cLs7sToGblWOw8173vBiC-ISZmo8Klo7xLh91kb8YbI”,
“hostname”: “demo.kalki.io”,
“port”: “80”,
“addressesResolved”: [
“3.212.217.80”,
addressUsed": “3.212.217.80”
}
]
},
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/7r1ofk3lXmWnJ8X1rfr7Dm7CPZguAQ425QMAUB2CyPI/14759832785”,
“token”: “FhH0kME2Lcl_ek6HaslDxmDyQFnO3-dN-yEsJ3gI5Qg”
}
]
}
DEBUG:acme.client:Storing nonce: acR7kNKM2NQ7SkfXQPb5HGTCfDawiCM7ir0cK9vCcw4
WARNING:certbot.auth_handler:Challenge failed for domain demo.kalki.io
INFO:certbot.auth_handler:http-01 challenge for demo.kalki.io
DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: demo.kalki.io
Type: unauthorized
Detail: Invalid response from https://demo.kalki.io/.well-known/acme-challenge/cLs7sToGblWOw8173vBiC-ISZmo8Klo7xLh91kb8YbI [3.212.217.80]: 404

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 154, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

Hi @sumitfreelancer07

if you use such a command, certbot asks a lot of things. We need your answers.

PS: Your domain has redirects http -> https ( https://check-your-website.server-daten.de/?q=demo.kalki.io ):

Domainname Http-Status redirect Sec. G
http://demo.kalki.io/
3.212.217.80 301 https://demo.kalki.io/ 0.216 A
https://demo.kalki.io/
3.212.217.80 302 Kalki.io 1.060 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Kalki.io 200 1.010 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://demo.kalki.io/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
3.212.217.80 301 https://demo.kalki.io/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.213 A
Visible Content:
https://demo.kalki.io/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.877 N
Not Found
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

So your https version answers.

Your main server answers with

Server: Kalki WebEngine

but /.well-known/acme-challenge doesn't send a Server - Name.

Which instance answers? Is there a DocumentRoot / root defined? If yes, then use it.

certbot-auto -a webroot certonly -w yourDocumentRootWebRoot -d demo.kalki.io

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.