Installing ssl certificate on AWS Elastic Beanstalk Nginx Node.js webserver

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.ccss.cf

I ran this command:
./certbot-auto --config /etc/letsencrypt/configs/www.ccss.cf.conf certonly
./certbot-auto certonly --debug --standalone -d www.ccss.cf --authenticator = webroot --webroot-path = /var/www/letsencrypt/
./certbot-auto certonly --debug --standalone -d www.ccss.cf

It produced this output:

• The following errors were reported by the server:

  Domain: www.ccss.cf
  Type: unauthorized
  Detail: Invalid response from
  http://www.ccss.cf/.well-known/acme-challenge/S0cI6qHuXxEXMYZzMwnXgrkyu01QzzZxHXfma0xDi6k
  [35.177.35.18]: “\n<html lang=“en”>\n\n<meta
  charset=“utf-8”>\nError\n\n\n

  Cannot
  
  GET /.well-known/”
  To fix these errors, please make sure that your domain name was
  
  entered correctly and the DNS A/AAAA record(s) for that domain
  
  contain(s) the right IP address.
  

My web server is (include version): Nginx/1.14.1

The operating system my web server runs on is (include version): AWS Linux t2.micro instance created by Elastic Beanstalk

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Perhaps:

./certbot-auto --nginx -d www.ccss.cf -d ccss.cf

Are you using Elastic Beanstalk with ELB? If so, it would be preferable to just use Amazon Certificate Manager to do SSL for you.

Unfortunately I still get the same error. I tried creating a file in the well-known location but can’t access it from my browser despite setting all the permissions. Does anyone else have any ideas where I am going wrong?

I don’t have a load balancer so can’t use Amazaon Certificate Manager. It would also be cost effective for me to use Let’s Encrypt as I think ACM only gives you the first 30 days free.

Hi @tonks84

your domain is not visible ( https://check-your-website.server-daten.de/?q=ccss.cf ):

http-01 - validation requires a running webserver and an open port 80.

I had momentarily taken it down but it should be up now.

Rechecked:

Port 80 is open, /.well-known/acme-challenge has the correct http status 404.

But why does your command use that directory?

Is there a special definition? If not, find your real webroot. There create the two subdirectories

yourWebroot/.well-known/acme-challenge

there a file (file name 1234) And try to load that file via

http://ccss.cf/.well-known/acme-challenge/1234
http://www.ccss.cf/.well-known/acme-challenge/1234

If that works, you have found your correct webroot.

I used –webroot-path = /var/www/letsencrypt/ because I was following an online tutorial which was trying to configure the webroot to be that location. It didn’t seem to work.

I found the webroot by nginx -V and looking at the --prefix option. When I try to follow your steps I still can’t see the files I created. Does something need to be restarted? I’m running node.js and the well-known location is setup in the routing logic of node.js. Would that have something to do with this not working?

What does this mean?

Certbot must be able to create a file somewhere, with -w webroot you can define a path, then the file is created under webroot/.well-known/acme-challenge and checked via port 80 - yourdomain/.well-known/acme-challenge.

So if that doesn't work with a test file, it will not work with Letsencrypt.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.