Get certificate for AWS Elastic Beanstalk without Beanstalk Load Balancer on NodeJS


For my nodejs application in Elastic BeanStalk, without Beanstalk Load Balancer I want to set up a Letsencrypt certificate and keep the classic domain provided by AWS :

Using Webroot mode :

$ sudo ./certbot-auto --authenticator standalone --non-interactive --email --domains --installer nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>

 - The following errors were reported by the server:

   Type:   unauthorized
   Detail: Invalid response from
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I think that the directory generated by certbot for the verification isn’t accessible…

I spent more than 3 days on this problem '-_- I am really stuck

Need your help guys !! thanks

Since you are using a complex setup, you should know where you can put static files that are accessible via /.well-known/acme-challenge/. Nobody here has an insight into your nodejs application.
If you are using nginx as webserver, you just have to define a separate root for the location and use this path as webroot-path for certbot.

I’ll add that --authenticator standalone means that Certbot tries to put up its own listener to respond to incoming web requests. This is not compatible with the presence of some other software listening to HTTP requests on port 80. If you have other software listening this way, you need to stop it first.

If there is an existing web server that you can get to serve files at a chosen path, the correct authenticator plugin to use is webroot rather than standalone.

@schoen @bytecamp thanks for reply. I finally found the solution : :star_struck:

I took inspiration from this script and created one using WEBROOT MODE.

I created a git to share this solution :

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.