Failed Authorization Procedure

I currently get a Failed Authorization Procedure Message…

My main questions are:

  1. Does CertBot need to do inbound requests to the server?
  2. Since this is a server on the intranet all inbound request are currently blocked, is there any IP addresses or DNS’ I can whitelist to do inbound calls on the server?
  3. Does that same IP/DNS need to have write access to the ./well-known/acme-challenge folder
  4. Is Certbot the right tool for this since it’s an application that’s only running on the intranet, although it must be https.

My domain is:
I can’t say (the certificate hasn’t been an issued) and it’s on an intranet

I ran this command: certbot certonly --test-cert -d [domain]

It produced this output:

Failed authorization procedure … (http-01) DNS problem NXDOMAIN looking up A for…

My web server is (include version): Linux

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

My main questions are:

  1. Does CertBot need to do inbound requests to the server?
  2. Since this is a server on the intranet all inbound request are currently blocked, is there any IP addresses or DNS’ I can whitelist to do inbound calls on the server?
  3. Does that same IP/DNS need to have write access to the ./well-known/acme-challenge folder
  4. Is Certbot the right tool for this since it’s an application that’s only running on the intranet, although it must be https.

Thanks for any help :slight_smile:

A1. LE needs to - when using HTTP authentication.
A2. IPs are not static.
A3. Never; it only needs to read from it.
A4. Yes, it can be. But you may need to use DNS authentication instead of HTTP.

Hi @thisisrii

you can only create a certificate if the domain name is public and worldwide unique. It must be a registered domain.

You can’t create a certificate if the domain name exists only on your intranet server.

So you should share your domain name to check, if it’s possible to create a certificate.

@JuergenAuer
The subdomain would exist on the intranet but the domain name is public, is there any way I can private message you the domain name?

@rg305
Thanks for this!
Why would it be better to use DNS authentication over HTTP?
Do I need to create the file in the ./well-known/acme-challenge folder?

DNS authentication would not require any access to your intranet system.
HTTP authentication would.

Not for DNS auth.
For that you (or an automated client) would need to make a DNS entry in the public DNS zone.

The domain name must end in a public suffix. You can use online tools ( https://letsdebug.net/ from @_az - https://check-your-website.server-daten.de/ - own tool) to check that.

If you have an active website with that domain name, that’s enough.

If the subdomain doesn’t have an A-record, you must use dns validation.

Thanks this has been very helpful, would I run the certbot -d command with the subdomain or the public domain?

Okay great! Would be this be the public DNS of my domain or the general public DNS?