Hi all, my first post around here.

I've been struggling with certbot for a couple of days and decided to ask for some advice.
I'm using an Elastic Beansstalk as a rest API alongside a S3 to provide functionalities.
Searched everywhere for tips, trying a lot of those with no success.
I must be missing something simple but since I'm new to this it must be avoiding my eyes.
Any help would be great since I reached certbot rate limits atm.
Btw, I have already opened HTTPS port 443 on aws security.

My domains are:
S3 -> yamana.comunica.vc
EB -> yamana.api.comunica.vc

I ran this command:
sudo certbot -n -d yamana.api.comunica.vc -d yamana.comunica.vc --nginx --agree-tos --email xxx@xxx.com

It produced this output:
Error on HTTP-01 challenge to yamana.comunica.vc
Error unauthorized, 404
When I try to open the url on my browser there's no such key

sudo certbot -n -d yamana.api.comunica.vc -d yamana.comunica.vc --nginx --agree-tos --email ultra.seed.2021@gmail.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Account registered.
Requesting a certificate for yamana.api.comunica.vc and yamana.comunica.vc
Performing the following challenges:
http-01 challenge for yamana.api.comunica.vc
http-01 challenge for yamana.comunica.vc
Waiting for verification...
Challenge failed for domain yamana.comunica.vc
http-01 challenge for yamana.comunica.vc
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: yamana.comunica.vc
  Type: unauthorized
  Detail: Invalid response from
  http://yamana.comunica.vc/.well-known/acme-challenge/5HRPHylKGB3xcr2z2th2calqIDBXCszf-qydbwJYRzw
  [52.95.163.103]: "\n404 Not
  Found\n\n

  404 Not
  Found

  \n
  \n
  • Code: NoSuchKey
  \n
  • Message: The sp"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  My web server is (include version):
  nginx 1.20
  tried a couple of nginx.conf changes including allow all, server_name, root, etc.

  The operating system my web server runs on is (include version):
  Node.js 14 running on 64bit Amazon Linux 2/5.4.4

  My hosting provider, if applicable, is:
  AWS

  I can login to a root shell on my machine (yes or no, or I don't know):
  I can, but I use ec2-user and switch to root with sudo -s

  I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
  AWS

  The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
  1.11.0

  Thanks again!

Please use the staging environment for testing.

Also, it seems your yamana.comunica.vc hostname returns different IP addresses every time I resolve the hostname. On which host are you running certbot?

Thanks for your comments Osiris.

Will use staging environment from now on. Thanks.

I was looking exactly at that right now. That subdomain is mapped to an aws route 53 pointing to an S3 bucket.
I'm running certbot over my EC2 instance.

You're using the --nginx plugin, so the nginx webserver on your EC2 instance is being used to validate both the hostnames. But when Let's Encrypt tries to retrieve the token from yamana.comunica.vc, it will connect to a different webserver! So any token provided by the nginx plugin on your EC2 instance for yamana.comunica.vc will be useless.

You could somehow (don't ask me exactly how, as I have no clue about EC2/Route54/AWS/S3 what so ever) redirect any request for http://yamana.comunica.vc/.well-known/acme-challenge/ to http://yamana.api.comunica.vc/.well-known/acme-challenge/ so the request ends up at the correct webserver.

Also, if you're using Route53 you might be able to use the certbot-dns-route53 DNS plugin. This is probably the most easy way compared to the above redirecting stuff.

Thanks a lot Osiris. It makes sense. Will try to use it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.