Certbot fails when using local csr

I am using certbot on a box loaded with Ubuntu 18.04. I can issue the following command:

certbot certonly --standalone

and after starting the process I am prompted for my domain. Entering the domain as prompted the process continues, thendisplays the domain with a directory path and file name which it appears to create. The path/filename is characterized by mydomainname/well-known/acme-challenge/<lengthy_hex_character_string>.

There is a second hex string even longer which instructions indicate the user should copy and paste into a file with the with <lengthy_hex_character_string> referenced above as the filename.

Dutifully following the instructions I create the path off of my domain on the hosts site and upload the named file created with long hex string in the folder specified.

Continuing, certbot seems to find the hex string file in the location, creates the signed certificate and stows it on my local machine. It posts the directories where I can find the key and signed certificate.

I am a happy camper except for I did not use the Certificate Signing Request (CSR) produced with ‘OpenSSL’ in house. So going back the string ‘–csr’ is added along with the location/filename of the CSR.

Running certbot with the added switch ‘–csr’ and location info/filename, certbot takes off, then the familiar prompt asking for the domain name appears. Entering the domain name and resuming the signed certificate process the error message:

Failed authorization procedure. networksecurityassoc.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://networksecurityassoc.com/.well-known/acme-challenge/SAgofOcv7255VCMK8gvBrGtX0TQWZ5LEblB3oW6hmvE: q%!(EXTRA string=

404 Not Found

404 Not Found

Hi @Wilson

you have two certificates, created today.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:networksecurityassoc.com&lu=cert_search

So two times the validation worked, the 3. time you got an error.

Can you share your complete command?

Yes, I have the two successful cert creations. However management insists on using cert and keys created in house so that is why the later attempts used the ‘- -csr’ switch in an attempt to use the ‘csr’ generated with ‘openssl’. Reason - Paranoia

But if you use certbot local (and not one of these online clients), then the private key is created and stored local.

So this is not a security problem.

The command used the 3rd time was:

certbot certonly - - standalone - - csr /home/store/networksecurityassoc.csr

As Juergen says, certbot by default creates the keys in house (it creates a CSR for you; you can find it in /etc/letsencrypt/csr), and they're never sent to Let's Encrypt. But if you nonetheless want to use the CSR you created separately, certbot doesn't manage the cert/key files any more, and you'll need to reconfigure your web server to use the private key corresponding to that CSR, along with the certificate that was created.

Is this a typo, or did you forget the . before well-known in the path as well?

1 Like

In the typed text in the message I failed to enter the ‘.’

The actual cut and paste returned shows the ‘.’ was entered. Looking through the history of the command line entries it also reflected the ‘.’ was entered.

Detail: Invalid response from
http://networksecurityassoc.com/.well-known/acme-challenge/SAgofOcv7255VCMK8gvBrGtX0TQWZ5LEblB3oW6hmvE:

Thanks for pointing out the possible glitch.

Is this a typo - - with a space? Correct is

certbot certonly --standalone --csr /home/store/networksecurityassoc.csr

no space between the hypen and hypen / first character.

--standalone creates it's own webserver

https://certbot.eff.org/docs/using.html#certbot-command-line-options

Use standalone mode to obtain a certificate if you don’t want to use (or don’t currently have) existing server software. The standalone plugin does not rely on any other server software running on the machine where you obtain the certificate.

so the standard webroot should be ignored. So this

Detail: Invalid response from

isn't really a problem.

Perhaps you should use your existing webserver (+ certonly) with the --webroot - option.

Thanks to all for your input.

Problem solved. Need Cert with Organizational Validation. LetEncrypt provides Domain Validation only.

Regards

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.