Firs Timer: Unable to create New Cert in Amazon Linux 2 ami

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bidabest.com or www.bidabest.com

I ran this command:
sudo yum install -y certbot python2-certbot-apache
sudo certbot

I follow this Reference from AWS:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt

It produced this output:
Which names would you like to activate HTTPS for?

1: bidabest.com
2: www.bidabest.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bidabest.com
http-01 challenge for www.bidabest.com
Waiting for verification…
Challenge failed for domain bidabest.com
Challenge failed for domain www.bidabest.com
http-01 challenge for bidabest.com
http-01 challenge for www.bidabest.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): Amazon Linux 2 AMI

My hosting provider, if applicable, is: Amazon Web Services

I can login to a root shell on my machine (yes or no, or I don’t know):i don’t know, normally login as ec2-user

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0

1 Like
2

Hi @ztfong

your domain has already content. But /.well-known/acme-challenge/random-filename doesn't work. There is a

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Mon Dec 02 22:33:44 MYT 2019

There was an unexpected error (type=Forbidden, status=403).

Access Denied

But that's not the 503 error Letsencrypt has seen.

If you --apache, a temporary location is added. Looks like that doesn't work.

Do you use that DocumentRoot?

DocumentRoot "/var/www/html"

If yes, create two subdirectories

/var/www/html/.well-known/acme-challenge

there a file (file name 1234), then try to load that file via

http://bidabest.com/.well-known/acme-challenge/1234

to see, if that works.

1 Like
3

Hi @JuergenAuer
Thanks for your fast response.

  1. I noticed that i have commented out DocumentRoot “/var/www/html”. Therefore, i tried to uncommented it, restarted apache and tried to sudo certbot again. However, the same issue still persisted.

  2. Regarding your suggestion on create two subdirectories and then add a file in it. May i know this should be a .txt file or a .html file? I have try to added 1234.html file and then run with http://bidabest.com/.well-known/acme-challenge/1234 or http://bidabest.com/.well-known/acme-challenge/1234.html but same issue still persisted.

1 Like
4

Please use the file name without an extension.

You must be able to see your file in your browser.

Then use webroot, not --apache.

https://certbot.eff.org/docs/using.html

Apache may not work.

Or your configuration is buggy, multiple vHosts.

apachectl -S

And what's that?

There answers a Tomcat, not an Apache. So you don't have the configuration of that tutorial, so --apache can't work.

So use a Tomcat tutorial.

1 Like
5

Dear Admin,

Thanks for the help. After do some researches, i am able to go through the challenge with command below:

sudo certbot -i apache -a manual --preferred-challenges dns -d XXX.com -d www.XXX.com

My question now is do i need to include “-d www.XXX.com” in the command above OR just the “-d XXX.com” ? In my case, both XXX.com and www.XXX.com are same.

Thanks,
Fong Zhan Teng

1 Like
6

You use both domain names, so it's the easiest if your (one) certificate has both domain names.

If not, one version would be insecure.

The content of these two different domain names isn't relevant, it may be the same content.

1 Like
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.