Certbot-auto fails to connect

Some other info:

My registrar is Namecheap, and I’m using their dynamic dns, so this domain has a A+ @ record and an A+ www record, both pointing to my WAN IP.

I’m on Verizon FiOS. My router is configured to pass HTTP/HTTPS requests to my server. That’s all working fine. Website is accessible by name, locally and remotely. If it matters, the local hostname of my server is teapot.hynoom.net, IP 192.168.1.9.

I followed the linuxize tutorial on setting up virtual hosts, and another on securing with Let’sEncrypt.

Q: It looks like /.well-known, etc., is not accessible.
Q: Does the local host name make a difference?

I’ve contacted Namecheap twice, and they say everything is fine on their end, and told me to come here.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

hynoom.com

I ran this command:

sudo /usr/local/bin/certbot-auto certonly --agree-tos --email codevark@aim.com --webroot -w /var/lib/letsencrypt/ -d hynoom.com -d www.hynoom.com

It produced this output:

(a bunch of stuff installed without errors)

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hynoom.com
http-01 challenge for www.hynoom.com
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification…
Challenge failed for domain hynoom.com
Challenge failed for domain www.hynoom.com
http-01 challenge for hynoom.com
http-01 challenge for www.hynoom.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):

Apache 2.4.37-16.module_el8.1.0+256

The operating system my web server runs on is (include version):

CentOS Linux 8 (Core)
Kernel: Linux 4.18.0-193.6.3.el8_2

My hosting provider, if applicable, is:

me!

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Certbot 1.5.0

Based on some requests I’ve tried against your server, I would guess that the acme-challenge directory, specifically, is not readable by the webserver. Or has some kind of access control against it.

My suggestion would be to try out the nginx authenticator, which might be able to resolve this automatically for you.

sudo /usr/local/bin/certbot-auto certonly -a nginx \
-d hynoom.com -d www.hynoom.com

apparently I don’t have nginx. why do I need two webservers?
I can install it, of course…

Sorry, I have no idea at all why I suggested -a nginx to you. My head must have been in the clouds.

I meant to write: -a apache.

dayem! that worked! thanks! I guess I still have to do some virtual host config because https://hynoom.com still warns me about evil dwarves…

The meaning of certonly in your command is “give me the certificate only, I’ll set it up by myself”.

If you’d like Certbot to autoconfigure it for you, you can:

certbot --apache -d hynoom.com -d www.hynoom.com

Certbot will ask you whether you want to renew the certificate or just install it - choose install.

1 Like

I got it working. Thanks, again. Now, one more question that I might already know the answer to: I actually have 7 domains pointing at this server. I could go through this whole process for each one. Could I have specified all my domains in that one certbot call and gotten a cert that would be applicable to all of them? They’re the .org and .net variations of hynoom.com, plus four others with totally different domain names. Each has a separate /var/www/domain.tld/public_html/ dir.

How you organize it is up to you.

In my opinion, the most logical thing is to follow how your virtual hosts are setup.

If you had these two virtual hosts:

  1. ServerName example.com, ServerAlias www.example.com, ServerAlias example.net, ServerAlias www.example.net
  2. ServerName myorg.com, ServerAlias www.myorg.com

Then I’d suggest making two separate certificates, each covering all of the names in its respective virtual host.

Nothing stopping you making one mega-certificate which covers everything, though.

Thanks! Let’s Encrypt is cool! ha