Certificate for server that offers only HTTPS


#1

I’m trying to create a certificate for my school’s web server. It only supports HTTPS, HTTP connections are routed to a different machine.
So when I send this command:
./letsencrypt-auto certonly --webroot -w /var/www/ -d myserver.de
I get this response:

Failed authorization procedure.
myserver.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://myserver.de/.well-known/acme-challenge/YG3iSmO_SvuymJ_QUdGFX8SpEZxNnHI4FgH5btx0EcU [212.71.198.9]: 404

As far as I understand, the script creates a file /var/www/.well-known/acme-challenge/<some random string> and tries to access this file from another server using HTTP. This would work fine if my server used HTTP, but it only responds to HTTPS.

So my question is: How do i make the “let’s encrypt”-script use HTTPS?


#2

You can’t, the protocol defines this challenge to HTTP. Maybe the tls-sni-01 challenge works for you?


#3

Thank you, your hint helped me a lot. It works now.


#4

You can just add a redirect rule to your other server, redirecting /.well-known/acme-challenge to HTTPs.


#5

Did you actually try your suggestion? I’ve seen reports that it doesn’t work.


#6

Ah, great! This solved my problem.

My webserver only serves HTTPS, so I was wondering why I was always getting a failure trying to create a certificate. This aspect should be added clearly into the doc.


#7

Yes, redirects do work.


#8

[quote=“kelunik, post:4, topic:5764, full:true”]
You can just add a redirect rule to your other server, redirecting /.well-known/acme-challenge to HTTPs.
[/quote]This won’t work if port 80 is blocked and the site is purely 443, though.