Hello Let's Encrypt community
I am running certbot certonly --manual. Certificate/key files are well generated. The issue is that I have no information regarding the validation step.
I am expecting certbot to provide me the file name and the challenge value I must put in a .well-known folder and serve on the port 80, but the command just exits after certificate generation.
It produced this output:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/wowgathering.fr/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/wowgathering.fr/privkey.pem
Your certificate will expire on 2021-08-28. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run "certbot renew"
My web server is (include version):
Nodejs Express (node version is 14.17.0)
The operating system my web server runs on is (include version):
Centos 8
My hosting provider, if applicable, is:
OVH
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot version: 1.15.0 (installed using snap)
You should consider installing/using one already issued...
If I understand your issue, you were expecting to asked to asked to provide a "string" into a file for a http or dns challenge...
Please have a look at the documentation for the --manual switch you invoked which should shed some light on the situation for you:
The http challenge will ask you to place a file with a specific name and specific content in the /.well-known/acme-challenge/ directory directly in the top-level directory (“web root”) containing the files served by your webserver. In essence it’s the same as the webroot plugin, but not automated.
When using the dns challenge, certbot will ask you to place a TXT DNS record with specific contents under the domain name consisting of the hostname for which you want a certificate issued, prepended by _acme-challenge .
In addition, from where I sit your port 443 is not open to the internet. That will need to be accessable for your cert(s) to work.
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp closed https
Firewall? Maybe. Something is blocking 443.
Hope this helps.
Thank you for your reply @Rip !
Indeed you understand my issue: I am expecting certbot to provide me data in order to be able to do an http challenge.
I looked at this manual documentation, but I am not "asked for the http challenge" (using no option, or the --preferred-challenges http option).
Indeed port 443 is not open. Do you think it could be related to the fact that certbot does not ask for a challenge?
I will try to open it and let you know
My guess is that because you've successfully completed a challenge for your domain name in the past 30 days, you're not being asked to do another one.
Once you have a certificate, you should just be using it rather than trying to get another one. If you're trying to test your manual process, then add --dry-run in order to run tests against the staging environment, and certbot makes sure to use new authorizations there.
@petercooperjr@Osiris from what you are saying I understand that I already validated a challenge succesfully. That surprises me because I have never received a acme challenge token to expose.
Ok so I have just re-checked my domain and you are right, certificate seems to have been validated, I can access to the domain through the browser and the lock icon appears. Last time I checked I had the "Not secure" warning but I was on another port, I forgot that I had to use port 443.
Just out of curiosity now that it works, my .well-known folder has never exposed a correct token, how did the validation work?
You might have used the apache, nginx, or standalone authenticator on your first attempt, which takes care of the http-01 challenge process for you, instead of the manual authenticator.