Certificate for server that offers only HTTPS

LeRainieur · December 5, 2015, 1:05pm

I'm trying to create a certificate for my school's web server. It only supports HTTPS, HTTP connections are routed to a different machine.
So when I send this command:
./letsencrypt-auto certonly --webroot -w /var/www/ -d myserver.de
I get this response:

Failed authorization procedure.
myserver.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://myserver.de/.well-known/acme-challenge/YG3iSmO_SvuymJ_QUdGFX8SpEZxNnHI4FgH5btx0EcU [212.71.198.9]: 404

As far as I understand, the script creates a file /var/www/.well-known/acme-challenge/<some random string> and tries to access this file from another server using HTTP. This would work fine if my server used HTTP, but it only responds to HTTPS.

So my question is: How do i make the "let's encrypt"-script use HTTPS?

jhass · December 5, 2015, 1:17pm

You can’t, the protocol defines this challenge to HTTP. Maybe the tls-sni-01 challenge works for you?

LeRainieur · December 5, 2015, 1:53pm

Thank you, your hint helped me a lot. It works now.

kelunik · December 5, 2015, 1:58pm

You can just add a redirect rule to your other server, redirecting /.well-known/acme-challenge to HTTPs.

jhass · December 5, 2015, 2:06pm

Did you actually try your suggestion? I’ve seen reports that it doesn’t work.

dClauzel · December 5, 2015, 2:38pm

Ah, great! This solved my problem.

My webserver only serves HTTPS, so I was wondering why I was always getting a failure trying to create a certificate. This aspect should be added clearly into the doc.

kelunik · December 5, 2015, 2:52pm

Yes, redirects do work.

Geremia · October 13, 2016, 3:07am

[quote=“kelunik, post:4, topic:5764, full:true”]
You can just add a redirect rule to your other server, redirecting /.well-known/acme-challenge to HTTPs.
[/quote]This won’t work if port 80 is blocked and the site is purely 443, though.