Certbot fails with 404 on server behind Azure app gateway

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gis-tst.greencollar.com.au

I ran this command: certbot -v certonly --standalone -d gis-tst.greencollar.com.au -d gct-gis-tst.australiaeast.cloudapp.azure.com
It produced this output: 2606:4700:3108::ac42:2b29: Invalid response from https://gis-tst.greencollar.com.au/.well-known/acme-challenge/6nRIYeTEVHsVmFTSNt6YA83jQCbhrbxbHO8iEOr-jdk: 404

My web server is (include version): standalone

The operating system my web server runs on is (include version): standalone

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.7.4

That --standalone method command requires seeing the HTTP request on port 80.

Your domain is currently proxied at Cloudflare. The Cloudflare CDN edge is redirecting http to https. So, unless you are forcing all connections to your origin over HTTP that --standalone will never see it. And, it is not recommended for force HTTP like that anyway.

Have you considered using the Cloudflare Origin CA cert for your origin server to support HTTPS between the CF edge and your origin?

Hi Mike,

Thanks for your reply.
I have now un-proxied my domain at CloudFlare, but that doesn't seem to have made a difference. I don't understand the option you're talking about here, but I don't know if I can use it as I have to provide certificates for the domains to Esri consultants to configure into the ArcGIS Enterprise application we're deploying. How can I get this to work?
Thanks,
GAM

Considering your mixed use of cloudflare and consultants, I suggest you use the DNS-01 authentication instead of HTTP-01.

It would have made SOME difference. What was the actual error message you see now?

Update: And, would expect a non-response to HTTP requests if you only use --standalone. But, there is some sort of gateway in front of it. Are you sure it is passing the Let's Encrypt challenge to Certbot?

curl -i http://gis-tst.greencollar.com.au/.well-known/acme-challenge/Test404HTTP/1.1 301 Moved Permanently
Server: Microsoft-Azure-Application-Gateway/v2
Location: https://gis-tst.greencollar.com.au/.well-known/acme-challenge/Test404

And, you got a cert 2 days ago for that domain name. What was wrong with the way you got that?

Because the cert has to include an Azure domain in as a SAN and couldn’t use DNS challenge for that.

Not that it has any bearing on your problem...
But I'm curious as to why you would need to also use that name anywhere at all?

Can't you user Azure's own certificate service for app gateway?

Is your [ArcGIS portal] service hosted on Windows or Linux?

You could try Certify The Web (which I develop), on Windows:

• It has a deployment task option for Azure KeyVault and then you can assign that cert from keyvault to app gateway (I think, haven't tried it directly).
• You can also use the Deploy to Generic Server task to just export the certificates as files you can give consultants etc, although this process doesn't sound ideal as you need something that can be automated for renewals. The task can copy cert files over SSH/SFTP to a target server and can also run scripts (such as a service restart).
• If you need multiple domains on different DNS zones in your cert it also has an option under Authorization to have a DNS authorization config per domain/domain match.

However I can't see you being able to issue a cert for an azure.com subdomain as you don't control that DNS, you could do it using HTTP validation though if this is Windows server and you can free up port 80 for http challenges.

There's probably a lot of moving parts here as you have your actual ArcGIS web server but you also have app gateway in front of that (which is where your TLS will terminate and where you primarily need your certificate). It seems like something your consultants should be formulating a solution for, unless they only help with the GIS config.

I don’t know. It’s just a requirement I’m trying to fulfill.

Please explain in more detail:

Actually - it turns out it wasn't and the problematic (internal) domain could be left off the cert.

But now - I have an internal Azure domain that I have to obtain a cert for. It's in the form:
..px.internal.cloudapp.net

What do I need to open/allow so that certbot will work in standalone mode?

The HTTP challenge requests from the Internet must be able to reach the IP resolved from that name.

From Microsofts documentation, https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate-portal:

You cannot obtain a TLS/SSL certificate from a certificate authority (CA) for the cloudapp.net domain. You must acquire a custom domain name to use when access your service.

So it's not going to happen unless you can get azure to setup a cert for you.

Thanks for that webprofusion.

Regards,
GAM

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.