I’ve got a CDN setup with Digitalocean and I manage my domains with GoDaddy. I’ve setup the CDN and created a CNAME of stagingassets.tradiematepro.com.au to point to my Digitalocean CDN. When I go to create a certificate for the sub domain it returns this error:
I created that certificate with an old server that I had to shut down. Because there’s no cron job that exists anymore it will eventually expire. Sorry I should have included that information.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Do you run your client on that 205.185.216.42 - ip address?
And there is no Server header. Apache? Nginx? So --apache or --nginx may not work. To use webroot, you must be able to skip that standard message. Or you have to configure the two directories
what’s the ACME-client and command you have used?
sudo certbot --expand -d staging.tradiematepro.com.au -d stagingassets .tradiematepro.com.au
@JuergenAuer My main staging site runs on staging.tradiematepro.com.au I’m testing this whole process with my testing site then I’ll migrate to my main site.
I ran this command:
sudo certbot --expand -d staging.tradiematepro.com.au -d stagingassets .tradiematepro.com.au
It produced this output:
- The following errors were reported by the server:
Domain: stagingassets.tradiematepro.com.au
Type: unauthorized
Detail: Invalid response from
http://stagingassets.tradiematepro.com.au/.well-known/acme-challenge/6B4ePeB_wwsJ5FiVlOE4Uk2-BBdRDs3L6ZH-eIUtNC8
[205.185.216.10]: "<?xml version=\"1.0\"
encoding=\"UTF-8\"?><Error><Code>AccessDenied</Code><BucketName>stagingassets</BucketName><RequestId>tx0000000"
My web server is (include version):
Apache/2.4.29
The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:
GoDaddy
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31.0
That subdomain is running on DigitalOcean Spaces, an object storage service, right?
The requests are being answered by the Spaces servers instead of the computer you’re running Certbot on.
I don’t understand why you’re trying to create a certificate for that subdomain – as I understand it, Spaces can automatically issue and renew (Let’s Encrypt) certificates on its own.
There should be various ways to issue your own certificates, manually or in an automated way, but I don’t understand what you would do with a certificate.
DigitalOcean spaces creates a certificate for you if I use Digitalocean to manage DNS, but I can’t because I’m using GoDaddy and sadly it needs to stay that way for now.
Digitalocean has the option to bring your own certificate for my sub domain. Hence the reason why I’m trying to create one for myself.
Oh. I’m surprised DigitalOcean can’t do it if you’re using a different DNS provider (with HTTP or TLS-ALPN validation).
The simple, very manual thing you can do is use --manual instead of --webroot, and manually upload the validation file to Spaces (and then delete it afterwards).
The complicated, automated thing to do is to write a Certbot plugin or hooks to upload (and delete) the validation file using the Spaces API, and then upload the new certificate using DigitalOcean’s API for that.
Edit: I forgot, you weren’t using --webroot. You were using (implicitly) --apache or --nginx.
In any case, use sudo certbot certonly --manual.
I’d suggest using two different certificates, one for staging.tradiematepro.com.au using the apache or nginx plugin, and one for stagingassets.tradiematepro.com.au using certonly and the manual plugin.
