Elastic Beanstalk node challenge failing

My domain is:
admin-api-dev.naguras.com

I ran this command:
sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email {EMAIL} --agree-tos --authenticator webroot --webroot-path /var/www/acme-challenge --domains {CERTDOMAIN} --keep-until-expiring --staging --installer nginx

It produced this output:
Domain: admin-api-dev.naguras.com
Type: connection
Detail: Fetching
https://admin-api-dev.naguras.com/.well-known/acme-challenge/Vop2JNeShIRTmUoCwO9embL6sjnwcba9-_tl5G1A2AQ:
Connection refused

My web server is (include version):
nginx (don’t know version)

The operating system my web server runs on is (include version):
64bit Amazon Linux/4.9.2

My hosting provider, if applicable, is:
AWS Elastic Beanstalk

I can login to a root shell on my machine (yes or no, or I don’t know):
no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Don’t know. I guess latest because downloaded today.

Below is my .ebextensions config file
The strange thing is that it’s doing the challenge via https but the certificate is not yet installed.
No idea where the https is coming from and why it’s not using http

I’m trying to solve this for two days and I really don’t know what else to try.

CERTDOMAIN = admin-api-dev.naguras.com
EMAIL = my email address

# (!) Based on : https://gist.github.com/tony-gutierrez/198988c34e020af0192bab543d35a62a
# Dont forget to set the env variable "CERTDOMAIN" and "EMAIL"
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready!

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

files:

  # The Nginx config forces https, and is meant as an example only. 
  /etc/nginx/conf.d/000_http_redirect_custom.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 8080;
        return 301 https://$host$request_uri;
      }
  # Allow verification to perform the challenge
  /etc/nginx/conf.d/allow_LetsEncrypt_verification.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 8080;
        location ~ /.well-known/  {
            root /var/www/acme-challenge/;
        }
      }    
  # The Nginx config forces https, and is meant as an example only. 
  /etc/nginx/conf.d/https_custom.pre:
    mode: "000644"
    owner: root
    group: root
    content: |
      # HTTPS server
      server {
        listen       443 default ssl;
        server_name  localhost;
        error_page  497 https://$host$request_uri;
        
        ssl_certificate      /etc/letsencrypt/live/ebcert/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/ebcert/privkey.pem;
        ssl_session_timeout  5m;
        ssl_protocols  TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_prefer_server_ciphers   on;
        if ($ssl_protocol = "") {
          rewrite ^ https://$host$request_uri? permanent;
        }
        location ~ ^/(lib/|img/) {
          root /var/app/current/public;
          access_log off;
        }
        location / {
            proxy_pass  http://nodejs;
            proxy_set_header   Connection "";
            proxy_http_version 1.1;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Upgrade         $http_upgrade;
            proxy_set_header        Connection      "upgrade";
        }
      }
packages: 
  yum:
    epel-release: [] 

container_commands:
  10_installcertbot:
    command: "mkdir -p /opt/certbot && wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto"
  20_Setpermissions:
    command: "sudo chown root /opt/certbot/certbot-auto;sudo chmod 0755 /opt/certbot/certbot-auto"
  30_createwebrootpath:
    command: "sudo mkdir -p /var/www/acme-challenge/"  
  40_getcertwebrootmode:
    command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${EMAIL} --agree-tos --authenticator webroot --webroot-path /var/www/acme-challenge --domains ${CERTDOMAIN} --keep-until-expiring --staging --installer nginx"
  50_link:
    command: "sudo ln -sf /etc/letsencrypt/live/${CERTDOMAIN} /etc/letsencrypt/live/ebcert"
  60_config:
    command: "sudo mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf"

Hi @eric-naguras

I don’t see a connection refused, instead, there is a timeout ( https://check-your-website.server-daten.de/?q=admin-api-dev.naguras.com ):

Domainname Http-Status redirect Sec. G
http://admin-api-dev.naguras.com/
3.220.31.130 301 https://admin-api-dev.naguras.com/ 0.230 A
https://admin-api-dev.naguras.com/
3.220.31.130 -14 10.027 T
Timeout - The operation has timed out
http://admin-api-dev.naguras.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
3.220.31.130 301 https://admin-api-dev.naguras.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.224 A
Visible Content: 301 Moved Permanently nginx/1.14.1
https://admin-api-dev.naguras.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.026 T
Timeout - The operation has timed out
Visible Content:

But you have no older certificates, so there is no correct https configuration.

So you have two options:

  • remove the redirect http -> https, then the normal http-01 validation without redirect should work (or)
  • create a self signed certificate and use that one time to create the first Letsencrypt certificate

But a temporary deactivation of that rule

should be enough.

Wow,
Thanks for the swift reply.
I’m trying disabling the redirect now.

It’s still doing the challenge via https.
But now I get a timeout in the log.

- The following errors were reported by the server:
  
  Domain: admin-api-dev.naguras.com
  Type:   connection
  Detail: Fetching
  https://admin-api-dev.naguras.com/.well-known/acme-challenge/mrPwY-YTmQwZROrb0EY_nOxZQH-pdvWxyDb-97n6HUo:
  Timeout during connect (likely firewall problem)

My config file is now:

# (!) Based on : https://gist.github.com/tony-gutierrez/198988c34e020af0192bab543d35a62a
# Dont forget to set the env variable "CERTDOMAIN" and "EMAIL"
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready!

files:

  # Allow verification to perform the challenge
  /etc/nginx/conf.d/allow_LetsEncrypt_verification.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 8080;
        location ~ /.well-known/  {
            root /var/www/acme-challenge/;
        }
      }    

packages: 
  yum:
    epel-release: [] 

container_commands:
  10_installcertbot:
    command: "mkdir -p /opt/certbot && wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto"
  20_Setpermissions:
    command: "sudo chown root /opt/certbot/certbot-auto;sudo chmod 0755 /opt/certbot/certbot-auto"
  30_createwebrootpath:
    command: "sudo mkdir -p /var/www/acme-challenge/"  
  40_getcertwebrootmode:
    command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${EMAIL} --agree-tos --authenticator webroot --webroot-path /var/www/acme-challenge --domains ${CERTDOMAIN} --keep-until-expiring --staging --installer nginx"
  50_link:
    command: "sudo ln -sf /etc/letsencrypt/live/${CERTDOMAIN} /etc/letsencrypt/live/ebcert"
  60_config:
    command: "sudo mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf"

There is a redirect http -> https. And https doesn’t answer.

Remove the redirect, then recheck your domain to see, if the redirect is gone - https://check-your-website.server-daten.de/?q=admin-api-dev.naguras.com

Thanks.
I’ll try to remove the redirect tomorrow.

1 Like

After another whole day struggle and 50+ deploys I’m not getting anywhere.

I created a separate EB app and environment for this because my git repository is getting too much polluted.

I created a domain ssl-test.naguras.com that points to ssltest-env.mmxzzbys7m.us-east-1.elasticbeanstalk.com

This works and both domains return “Hello World” when queried in the browser.

The content of the config file in .ebextensions is:

# (!) Based on : https://gist.github.com/tony-gutierrez/198988c34e020af0192bab543d35a62a
# Dont forget to set the env variable "CERTDOMAIN" and "EMAIL"
# Also note that this config is using the LetsEncrypt staging server, remove the flag when ready!

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

files:

  # Allow verification to perform the challenge
  /etc/nginx/conf.d/allow_LetsEncrypt_verification.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      server {
        listen 8080;
        location ~ /.well-known/acme-challenge/ {
          root /var/www/acme-challenge/;
        }
      }  
  
packages: 
  yum:
    epel-release: [] 

container_commands:
  10_installcertbot:
    command: "sudo mkdir -p /opt/certbot && wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto"
  20_Setpermissions:
    command: "sudo chown root /opt/certbot/certbot-auto;sudo chmod 0755 /opt/certbot/certbot-auto"
  30_createwebrootpath:
    command: "sudo mkdir -p /var/www/acme-challenge"  
  40_getcertwebrootmode:
    command: "sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email ${EMAIL} --agree-tos --authenticator webroot --webroot-path /var/www/acme-challenge --domains ${CERTDOMAIN} --keep-until-expiring --staging --installer nginx"
  50_config:
    command: "sudo mv /etc/nginx/conf.d/https_custom.pre /etc/nginx/conf.d/https_custom.conf"
  60_link:
    command: "sudo ln -sf /etc/letsencrypt/live/${CERTDOMAIN} /etc/letsencrypt/live/ebcert"

and the log files says this:

[2019-06-23T11:54:25.752Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/AppDeployPreHook/60config_generate.sh] : Starting activity...
[2019-06-23T11:54:27.365Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/AppDeployPreHook/60config_generate.sh] : Completed activity. Result:
  + /opt/elasticbeanstalk/containerfiles/ebnode.py --action generate-config
  Generating modifications to /etc/nginx/nginx.conf
  Generating reverse proxy settings
[2019-06-23T11:54:27.365Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/AppDeployPreHook] : Completed activity. Result:
  Successfully execute hooks in directory /opt/elasticbeanstalk/hooks/appdeploy/pre.
[2019-06-23T11:54:27.365Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild] : Starting activity...
[2019-06-23T11:54:27.748Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild] : Starting activity...
[2019-06-23T11:54:27.752Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_ssl_test] : Starting activity...
[2019-06-23T11:54:28.584Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_ssl_test/Command 10_installcertbot] : Starting activity...
[2019-06-23T11:54:28.702Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_ssl_test/Command 10_installcertbot] : Completed activity. Result:
  --2019-06-23 11:54:28--  https://dl.eff.org/certbot-auto
  Resolving dl.eff.org (dl.eff.org)... 151.101.248.201, 2a04:4e42:3b::201
  Connecting to dl.eff.org (dl.eff.org)|151.101.248.201|:443... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: 68023 (66K) [application/octet-stream]
  Saving to: '/opt/certbot/certbot-auto'

  0K .......... .......... .......... .......... .......... 75% 59.2M 0s
  50K .......... ......                                     100%  252M=0.001s

  2019-06-23 11:54:28 (73.0 MB/s) - '/opt/certbot/certbot-auto' saved [68023/68023]


[2019-06-23T11:54:29.530Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_ssl_test/Command 20_Setpermissions] : Starting activity...
[2019-06-23T11:54:29.541Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_ssl_test/Command 20_Setpermissions] : Completed activity.
[2019-06-23T11:54:30.374Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_ssl_test/Command 30_createwebrootpath] : Starting activity...[2019-06-23T11:54:30.380Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_ssl_test/Command 30_createwebrootpath] : Completed activity. [2019-06-23T11:54:31.210Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_ssl_test/Command 40_getcertwebrootmode] : Starting activity...
[2019-06-23T11:54:34.136Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_ssl_test/Command 40_getcertwebrootmode] : Activity execution failed, because: Saving debug log to /var/log/letsencrypt/letsencrypt.log
  Plugins selected: Authenticator webroot, Installer nginx
  Obtaining a new certificate
  Performing the following challenges:
  http-01 challenge for ssl-test.naguras.com
  Using the webroot path /var/www/acme-challenge for all unmatched domains.
  Waiting for verification...
  Challenge failed for domain ssl-test.naguras.com
  http-01 challenge for ssl-test.naguras.com
  Cleaning up challenges
  Exiting abnormally:
  Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
  sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1379, in main
  return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1262, in certonly
  lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert
  lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 406, in obtain_and_enroll_certificate
  cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 349, in obtain_certificate
  orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 385, in _get_order_and_authorizations
  authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
  self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
  raise errors.AuthorizationError('Some challenges have failed.')
  AuthorizationError: Some challenges have failed.
  Please see the logfiles in /var/log/letsencrypt for more details.
  IMPORTANT NOTES:
  - The following errors were reported by the server:

  Domain: ssl-test.naguras.com
  Type:   unauthorized
  Detail: Invalid response from
  http://ssl-test.naguras.com/.well-known/acme-challenge/d1y452Gx9qyL_xh-qFNkCeeZL5Kg5oR55EWkbLKGRAM
  [3.93.250.159]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta
  charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
  GET /.well-known/"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.
   (ElasticBeanstalk::ExternalInvocationError)


[2019-06-23T11:54:34.136Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_ssl_test/Command 40_getcertwebrootmode] : Activity failed.
[2019-06-23T11:54:34.136Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild/postbuild_0_ssl_test] : Activity failed.
[2019-06-23T11:54:34.136Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild/Infra-EmbeddedPostBuild] : Activity failed.
[2019-06-23T11:54:34.158Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0/EbExtensionPostBuild] : Activity failed.
[2019-06-23T11:54:34.158Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11/AppDeployStage0] : Activity failed.
[2019-06-23T11:54:34.158Z] INFO  [2971]  - [Application update app-v1_0_11-190623_185330@11] : Completed activity. Result:
  Application update - Command CMD-AppDeploy failed                                                                                                                                                                           

Below is a list of the files in /etc/nginx/conf.d so the confog files made it to the server.

[ec2-user@ip-172-31-92-198 ~]$ sudo ls -al /etc/nginx/conf.d
total 36
drwxr-xr-x 2 root root 4096 Jun 23 10:59 .
drwxr-xr-x 4 root root 4096 Jun 23 10:42 ..
-rw-r--r-- 1 root root 1351 Jun 23 09:56 00_elastic_beanstalk_proxy.conf
-rw-r--r-- 1 root root  111 Jun 23 10:59 allow_LetsEncrypt_verification.conf
-rw-r--r-- 1 root root  136 Jun 23 10:27 allow_LetsEncrypt_verification.conf.bak
-rw-r--r-- 1 root root 1204 Jun 23 10:50 https_custom.conf
-rw-r--r-- 1 root root 1022 Jun 23 10:59 https_custom.pre
-rw-r--r-- 1 root root 1022 Jun 23 10:27 https_custom.pre.bak
-rw-r--r-- 1 root root  283 Dec 13  2018 virtual.conf

If a webroot command doesn’t work, your configuration is buggy.

Remove all things not required.

Why is there a port 8080? Letsencrypt checks port 80.

Use the normal webroot of your port 80.

Create the two subdirectories

yourWebroot/.well-known/acme-challenge

there a file (file name 1234), then try to load that file via browser.

http://ssl-test.naguras.com/.well-known/acme-challenge/1234

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.