Localhost certificate failure

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: milan.com

I ran this command: certbot certonly --standalone -d milan.com

It produced this output: Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: milan.com
Type: unauthorized
Detail: 15.197.148.33: Invalid response from http://milan.com/.well-known/acme-challenge/J-OdyRpQWKHMqIZwhFSyz1xIsYmgS2kbWwQL9TffpkI: 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache2.4

The operating system my web server runs on is (include version): Windows 11

My hosting provider, if applicable, is: My PC

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): None

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hey all! I'm trying to install a certificate for my localhost (my own machine). The reason I'm doing this is because I want to test an email server software on my PC for no reason particularly, just playing. I installed Apache 2.4 successfully, input server_name in the config as milan.com and in my hosts file wrote 127.0.0.1 localhost milan.com Now when I run the command that I wrote at the top of the post it gives me the mentioned error, what seems to be the problem?

2

Hello @mikitheking3, welcome to the Let's Encrypt community. :slightly_smiling_face:

The IPv4 Addresss of 127.0.0.1 is the localhost only, nobody else can access it.

I suspect that

is not trying to run the standalone authenticator on the IPv4 Addresss of 127.0.0.1.

Others will have better answers.

3 Likes
3

LetsEncrypt must validate that you control milan.com in order to issue a certificate. There are three authorizations that can accomplish that - HTTP-01, TLS-ALPN-01, DNS-01.

Both HTTP-01 and TLS-ALPN-01 require your server to be connected to the public internet and correctly process requests from the public internet for milan.com.

The DNS records for milan.com show 3.33.130.190 and 15.197.148.33, which seem to point to godaddy parking. Both IPs must be expected to correctly answer the validation requests.

You have three options to get a Certificate:

  1. Point the public DNS to only your actual computer's IP address, and ensure local routing from your network to your machine.
  2. Point the public DNS to a public web server, obtain the certificate on that, copy it to your machine
  3. Use the DNS-01 challenge to perform the authorizations

I typically use option 3 for development work on subdomains as it lets me rely on normal DNS (i.e. i can have a public dns record for a domain point to 127.0.0.1), and recommend delegating the acme-challenge DNS record to an acme-dns (GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.) instance. When it comes to base/registered domains, I typically use the HTTP-01 challenge on the public webserver to secure that server, copy the certificate to my local system, and update local routing to route that domain on 127.0.0.1.

6 Likes
4

@mikitheking3 Do you actually own the domain milan.com?

4 Likes
5

Hey Osiris, that's a good question, I in fact do not own milan.com, I just made it up thinking it would work because I just want to give my pc a certificate; clearly I wasn't thinking at all since I can see what would be the problem now... @jvanasco Thank you for the detailed post.. I'm really tired and was thinking something along the lines of what you posted but since this is my first time working on this I had no idea how to accomplish it. Since I am very tired I shall try doing the third suggestion you made tomorrow! Thank you all so very much for your quick responses, lovely community!

6

Please note that also that option requires you actually owning the domain (or at least have control over it).

6 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.