Hello,
(I have filled in the form below, and even included parts of /var/log/letsencrypt/letsencrypt.log at the end, but I don't think much of it is interesting).
I am trying to get a certificate for imo2022.org, but the challenge seems to be sent to the sub domain www.imo2022.org, which I do not want a certificate for. I run Varnish and I synthesize a 301 redirect to www.imo2022.org for all requests to the host name imo2022.org whose path do not start with /.well-known. The www subdomain is maintained by an external company, and they manage their own certificate independently of me. Running varnishlog on the server for imo2022.org clearly shows that letsencrypt does not send a request to imo2022.org. I control DNS, but I prefer to use a HTTP for validation, as it works great with Varnish.
Do I have to change to DNS to be able to get a certificate for imo2022.org?
I can't see this documented anywhere. If I am blind, a link to the relevant docs will be fine.
My domain is: imo2022.org
I ran this command: certbot certonly --test-cert --standalone --preferred-challenges http --http-01-port 888 -d imo2022.org --renew-hook="/usr/local/bin/hitch-renew-hook" --post-hook="service hitch reload"
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for imo2022.org
Performing the following challenges:
http-01 challenge for imo2022.org
Waiting for verification...
Challenge failed for domain imo2022.org
http-01 challenge for imo2022.org
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: imo2022.org
Type: unauthorized
Detail: Invalid response from https://www.imo2022.org/.well-known/acme-challenge/Q4TFOBC8SXZ3wivB6YNtwxAEPuoRv67dTQ7zilLFyAk [52.213.47.89]: "\r\n<html lang="en-US">\r\n\r\n <meta charset="UTF-8" />\r\n <meta name="viewport" content="width=device-widt"
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 888. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Cleaning up challenges
Running post-hook command: service hitch reload
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): varnish-plus-6.0.9r3 with a VCL which routes .well-known to port 888.
The operating system my web server runs on is (include version): Ubuntu 18.04.6 LTS
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 1.22.0
From /var/log/letsencrypt/letsencrypt.log
2022-01-22 13:33:39,040:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 22 Jan 2022 13:33:38 GMT
Content-Type: application/json
Content-Length: 1979
Connection: keep-alive
Boulder-Requester: 41417418
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0001mNgheHp_ePq9UNt_NDHGs6KKKycoqil1bR0v16u2HAQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "imo2022.org"
},
"status": "invalid",
"expires": "2022-01-29T13:33:34Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from https://www.imo2022.org/.well-known/acme-challenge/-VVYGtEixrQO9YYWp8Kw3dHysCrHAYueOFCNYtYJFA4 [52.213.47.89]: "\u003c!DOCTYPE html\u003e\r\n\u003chtml lang=\"en-US\"\u003e\r\n\u003chead\u003e\r\n \u003cmeta charset=\"UTF-8\
" /\u003e\r\n \u003cmeta name=\"viewport\" content=\"width=device-widt"",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/1496701498/KOIkZQ",
"token": "-VVYGtEixrQO9YYWp8Kw3dHysCrHAYueOFCNYtYJFA4",
"validationRecord": [
{
"url": "http://imo2022.org/.well-known/acme-challenge/-VVYGtEixrQO9YYWp8Kw3dHysCrHAYueOFCNYtYJFA4",
"hostname": "imo2022.org",
"port": "80",
"addressesResolved": [
"165.227.172.28",
"2001:700:100:118::130"
],
"addressUsed": "2001:700:100:118::130"
},
{
"url": "https://imo2022.org/.well-known/acme-challenge/-VVYGtEixrQO9YYWp8Kw3dHysCrHAYueOFCNYtYJFA4",
"hostname": "imo2022.org",
"port": "443",
"addressesResolved": [
"165.227.172.28",
"2001:700:100:118::130"
],
"addressUsed": "2001:700:100:118::130"
},
{
"url": "https://www.imo2022.org/.well-known/acme-challenge/-VVYGtEixrQO9YYWp8Kw3dHysCrHAYueOFCNYtYJFA4",
"hostname": "www.imo2022.org",
"port": "443",
"addressesResolved": [
"52.213.47.89",
"3.248.123.157"
],
"addressUsed": "52.213.47.89"
}
],
"validated": "2022-01-22T13:33:34Z"
}
]
}