Installing ssl certificate on AWS Elastic Beanstalk Nginx Node.js webserver

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.ccss.cf

I ran this command:
./certbot-auto --config /etc/letsencrypt/configs/www.ccss.cf.conf certonly
./certbot-auto certonly --debug --standalone -d www.ccss.cf --authenticator = webroot --webroot-path = /var/www/letsencrypt/
./certbot-auto certonly --debug --standalone -d www.ccss.cf

It produced this output:

  • The following errors were reported by the server:

    Domain: www.ccss.cf
    Type: unauthorized
    Detail: Invalid response from
    http://www.ccss.cf/.well-known/acme-challenge/S0cI6qHuXxEXMYZzMwnXgrkyu01QzzZxHXfma0xDi6k
    [35.177.35.18]: “\n<html lang=“en”>\n\n<meta
    charset=“utf-8”>\nError\n\n\n

    Cannot
    GET /.well-known/”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Nginx/1.14.1

The operating system my web server runs on is (include version): AWS Linux t2.micro instance created by Elastic Beanstalk

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

#2

Perhaps:

./certbot-auto --nginx -d www.ccss.cf -d ccss.cf

Are you using Elastic Beanstalk with ELB? If so, it would be preferable to just use Amazon Certificate Manager to do SSL for you.

#3

Unfortunately I still get the same error. I tried creating a file in the well-known location but can’t access it from my browser despite setting all the permissions. Does anyone else have any ideas where I am going wrong?

I don’t have a load balancer so can’t use Amazaon Certificate Manager. It would also be cost effective for me to use Let’s Encrypt as I think ACM only gives you the first 30 days free.

#4

Hi @tonks84

your domain is not visible ( https://check-your-website.server-daten.de/?q=ccss.cf ):

Domainname Http-Status redirect Sec. G
http://ccss.cf/
35.177.35.18 -14 10.030 T
Timeout - The operation has timed out
http://www.ccss.cf/
35.177.35.18 -14 10.030 T
Timeout - The operation has timed out
https://ccss.cf/
35.177.35.18 -14 10.027 T
Timeout - The operation has timed out
https://www.ccss.cf/
35.177.35.18 -14 10.030 T
Timeout - The operation has timed out
http://ccss.cf/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
35.177.35.18 -14 10.030 T
Timeout - The operation has timed out
http://www.ccss.cf/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
35.177.35.18 -14 10.030 T
Timeout - The operation has timed out

http-01 - validation requires a running webserver and an open port 80.

#5

I had momentarily taken it down but it should be up now.

#6

Rechecked:

Domainname Http-Status redirect Sec. G
http://ccss.cf/
35.178.228.23 200 0.094 H
http://www.ccss.cf/
35.178.228.23 200 0.070 H
https://ccss.cf/
35.178.228.23 -14 10.026 T
Timeout - The operation has timed out
https://www.ccss.cf/
35.178.228.23 -14 10.026 T
Timeout - The operation has timed out
http://ccss.cf/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
35.178.228.23 404 0.053 A
Not Found
http://www.ccss.cf/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
35.178.228.23 404 0.054 A
Not Found

Port 80 is open, /.well-known/acme-challenge has the correct http status 404.

But why does your command use that directory?

Is there a special definition? If not, find your real webroot. There create the two subdirectories

yourWebroot/.well-known/acme-challenge

there a file (file name 1234) And try to load that file via

http://ccss.cf/.well-known/acme-challenge/1234
http://www.ccss.cf/.well-known/acme-challenge/1234

If that works, you have found your correct webroot.

#7

I used –webroot-path = /var/www/letsencrypt/ because I was following an online tutorial which was trying to configure the webroot to be that location. It didn’t seem to work.

I found the webroot by nginx -V and looking at the --prefix option. When I try to follow your steps I still can’t see the files I created. Does something need to be restarted? I’m running node.js and the well-known location is setup in the routing logic of node.js. Would that have something to do with this not working?

#8

What does this mean?

Certbot must be able to create a file somewhere, with -w webroot you can define a path, then the file is created under webroot/.well-known/acme-challenge and checked via port 80 - yourdomain/.well-known/acme-challenge.

So if that doesn’t work with a test file, it will not work with Letsencrypt.

closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.