Invalid response error when creating the certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: alpsinterviewbot.com

I ran this command: sudo certbot certonly --standalone

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): alpsinterviewbot.com
Requesting a certificate for alpsinterviewbot.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: alpsinterviewbot.com
Type: unauthorized
Detail: 76.76.21.22: Invalid response from http://alpsinterviewbot.com/.well-known/acme-challenge/gsAmqzU1VXalcgqgaJWgZQE-tBssmatRl0-Bfvs4Kwc: 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): I am not sure..I got the domain through Namecheap, I have develop a web app by using FastAPI, running the uvicorn server on AWS and deployed on Vercel.

The operating system my web server runs on is (include version): AWS Linux

My hosting provider, if applicable, is: Namecheap

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Not sure
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.8.0

Thank you in advance!

1 Like
2

The 404 means the Let's Encrypt server got a "not found" when trying to connect to your domain using HTTP. The LE Server should get a valid token from your --standalone request.

I don't see the IP address in the error in your public DNS right now. In fact, there are 2 IP addresses.

Also, your domain currently has a server responding to HTTP and HTTPS requests. The Certbot --standalone option must reply to HTTP requests for it to be able to get a cert.

Could you explain more what you are trying to do? And, what role your "vercel" server has?

dig +noall +answer A alpsinterviewbot.com
alpsinterviewbot.com.   274     IN      A       76.76.21.241
alpsinterviewbot.com.   274     IN      A       76.76.21.93

And, https currently works using a wildcard cert from Let's Encrypt

curl -i https://www.alpsinterviewbot.com
HTTP/2 200
age: 329366
server: Vercel
3 Likes
3

It's interesting that the domain is redirected from HTTP to HTTPS.

curl -Ii alpsinterviewbot.com
HTTP/1.1 308 Permanent Redirect
Content-Type: text/plain
Location: https://alpsinterviewbot.com/     <<<<<<<<<<<<<<<<<<<<<<<<<
Refresh: 0;url=https://alpsinterviewbot.com/
server: Vercel

curl -Ii alpsinterviewbot.com/test
HTTP/1.1 308 Permanent Redirect
Content-Type: text/plain
Location: https://alpsinterviewbot.com/test     <<<<<<<<<<<<<<<<<<<<<<<<<
Refresh: 0;url=https://alpsinterviewbot.com/test
server: Vercel

But the ACME challenge requests are NOT redirected:

curl -Ii alpsinterviewbot.com/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found
Access-Control-Allow-Headers: Authorization, Accept, Content-Type
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 52
Content-Type: application/json; charset=utf-8
Date: Sun, 28 Jan 2024 18:37:13 GMT
Server: Vercel
X-Vercel-Id: iad1::zqdnk-1706467033174-931b58b1310c
3 Likes
4

Vercel looks like an app service. I read their site and they talk about acquiring certs for apps you setup there. They have integrated with Let's Encrypt since at least 2019 and the ACME Challenge is probably intercepted for this purpose.

I'm guessing they are trying to get a cert for a backend app using the same domain as their Vercel front-end. If so, Vercel is the best place to get advice I think.

Lots of guessing on my part but I think they are good ones :slight_smile:

4 Likes
5

Thank you for both of your support!

I created a FastAPI app and a front-end for that application. The app is a conversational AI bot where users can have interviews for their desired roles. I don't have any prior experience in web development, front-end design etc.

Vercel is the service that I use to host the front end. The back end of the app works on an EC2 instance. Here are the steps I followed:

  • Deployed front-end on Vercel and got a production link
  • Connected that production link to the domain that I own
  • Meanwhile running the back-end on the EC2 instance, the front-end talks to the IP address of that virtual machine.

After these steps, I got a Mixed Content Error on the browser because the deployed link on Vercel expects requests as HTTPS however, my server on EC2 is responding to HTTP.

With no prior knowledge of that, I figured the solution was to get an SSL certificate to adjust my server to respond HTTPS. So I created the self-signed cert but soon after I realized that is causing an ERR_CERT_AUTHORITY_INVALID error.

That is why now I am trying to get a cert from a CA.

When linking the web domain to the Vercel link, I put Vercel's custom DNS as the nameserver. I thought the DNS should be then 76.76.21.21 according to Vercel but I am not sure why there 2 different IP addresses

2 Likes
6

That's pretty much what I guessed. I think you should ask Vercel how to do this.

One way might be to create a new domain name and point its DNS to your backend server. As long as you use HTTPS links in your frontend you will avoid the mixed-content warning.

Or, Vercel may have some way to allow you to obtain a cert for the domain they handle. Right now they intercept the ACME Challenges to provide the cert for the frontend app. Maybe a DNS Challenge could be used but they need to assist with that.

3 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.