Error generating AWS network load balance certificate

Guys I’m having a problem when I’m going to generate a certificate on servers that are behind the Network Load Balance from AWS, if the IP address is directly on EC2 the certificate is generated without any problem, now when I put it on LB I have an error return.

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for site1.domain.com.br
Waiting for verification …
Challenge failed for domain site1.domain.com.br
http-01 challenge for site1.domain.com.br
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: site1.domain.com.br
  Type: unauthorized
  Detail: Invalid response from
  https://site1.domain.com.br:443/.well-known/acme-challenge/UzA-shXG8GTmcXyhWHTDzxW222wEmk8zpT7aL0LlJI4
  [54.207.184.139]: "<! DOCTYPE html> \ n \ n \ n

  \ n <meta http-equiv = \ "refresh \" content = \ "0; url = http: // site"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A / AAAA record (s) for that domain
  contain (s) the right IP address.

log.

Link: https://acme-staging-v02.api.letsencrypt.org/directory; rel = “index”
Replay-Nonce: 00013A9E4SOBKVg9Vz-SIKwwrOBXUnS2oRqiADt2pr9vy_4
X-Frame-Options: DENY
Strict-Transport-Security: max-age = 604800

{
“identifier”: {
“type”: “dns”,
“value”: “site1.domain.com.br”
},
“status”: “invalid”,
“expires”: “2020-07-22T23: 12: 22Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn: ietf: params: acme: error: unauthorized”,
“detail”: "Invalid response from https://site1.domain.com.br:443/.well-known/acme-challenge/yl0_JIC9oCnRUjZtcZ4T29DDp3uz9IHCPzB_ZfyU5pw [54.207.184.139]: " \ u003c! DOCTYPE html \ n \ u003e \ \ u003chtml \ u003e \ n \ u003eead \ u003e \ n \ u003cmeta charset = \\ “UTF-8 \” / \ u003e \ n \ u003cmeta http-equiv = \\ “refresh \” content = \\ "0; url = http: // site " ",
“status”: 403
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/77923151/C05xsg”,
“token”: “yl0_JIC9oCnRUjZtcZ4T29DDp3uz9IHCPzB_ZfyU5pw”,
“validationRecord”: [
{
“url”: “http://site1.domain.com.br/.well-known/acme-challenge/yl0_JIC9oCnRUjZtcZ4T29DDp3uz9IHCPzB_ZfyU5pw”,
“hostname”: “site1.domain.com.br”,
“port”: “80”,
“addressesResolved”: [
“54,207,184,139”
],
“addressUsed”: “54.207.184.139”
},
{
“url”: “https://site1.domain.com.br:443/.well-known/acme-challenge/yl0_JIC9oCnRUjZtcZ4T29DDp3uz9IHCPzB_ZfyU5pw”,
“hostname”: “site1.domain.com.br”,
“port”: “443”,
“addressesResolved”: [
“54,207,184,139”
],
“addressUsed”: “54.207.184.139”
}
]
}
]
}
2020-07-15 20: 12: 28,790: DEBUG: acme.client: Storing nonce: 00013A9E4SOBKVg9Vz-SIKwwrOBXUnS2oRqiADt2pr9vy_4
2020-07-15 20: 12: 28,790: WARNING: certbot.auth_handler: Challenge failed for domain site1.domain.com.br
2020-07-15 20: 12: 28,791: INFO: certbot.auth_handler: http-01 challenge for site1.domain.com.br
2020-07-15 20: 12: 28,791: DEBUG: certbot.reporter: Reporting to user: The following errors were reported by the server:

Domain: site1.domain.com.br
Type: unauthorized
Detail: Invalid response from https://site1.domain.com.br:443/.well-known/acme-challenge/yl0_JIC9oCnRUjZtcZ4T29DDp3uz9IHCPzB_ZfyU5pw [54.207.184.139]: "<! DOCTYPE html> \ n \ n \ n <meta charset = \ "UTF-8 " /> \ n <meta http-equiv = \ "refresh " content = \ “0; url = http: // site”

Your NLB ports are mismatched.

Port 80 on the NLB should connect to port 80 on your backend.

In your setup, port 80 on the NLB is connecting to port 443 on your backend. That’s where the problem is coming from.

Fix that, and the Certbot authenticator should start working.

perfect observation, I did it quickly and didn’t pay attention to it, thank you very much!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.