Creating new cert for another machine - do I want manual mode?


#1

Reading through the how-to, etc. but I am starting from square 1 and getting an error. I have a bunch of apache servers, but have been moving to loading the certs onto the loadbalancers (local and AWS ELB) for ease and speed.

I assume lets encrypt will allow the same if I do the generation in manual mode, right? If so, I am trying to do a test API server I have. Note I plan to do the cert generation and such on a single machine in AWS outside of everything, then just copy stuff over. So on a Ubuntu 14.04LTS, git clone things fine, then I issue;
./letsencrypt-auto certonly --manual
I get a popup asking for my domain, I add that,
then prompted with an Auth error, the lets encrypt.log shows;

FailedChallenges: Failed authorization procedure. api.weatherflow.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://api.weatherflow.com/.well-known/acme-challenge/i7PfKSQ1LH8pgfyPJtg2KvLcJ44DO0hTGG7nldkiknc [38.101.125.181]: 404

Now, most of that makes sense, as that info is not on there, it’s in a load balanced environment, so to back around full circle to the question. I want to use a standalone machine to hopefully create the csr request, push it out to lets encrypt who gives the crt file.

I will manually install on the servers (or better the load balancers) but trying to see if I am starting down the right path.

Thanks.


#2

You’re on the right track. You’ll just need to make sure you can get the contents of the “.well-known” directory on the servers somehow so that it can be validated. Since you’re in manual mode, any method to get the validation files up (FTP, direct editing on the server) will work.

If you can’t do the web-based validation, you’ll probably need to wait until the dns-based validation rolls out if you want to use Let’s Encrypt.