New to LetsEncrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
monitor.plslogistics.com

I ran this command:
certbot certonly --standalone

It produced this output:
root@monitor.plslogistics.com ~/certs $ certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): monitor.plslogistics.com
Requesting a certificate for monitor.plslogistics.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: monitor.plslogistics.com
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge "mkEtqdXoq_V4I1ODXHJ0BlsbX0jXlJFQoXOCQ4UZ0Ew.zhOaLIVTyTdV7MlTa5pAI2i1DOMkLGfhoHinbJYQWkk" != ""

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@monitor.plslogistics.com ~/certs $

My web server is (include version):
NagiosXI

The operating system my web server runs on is (include version):
Centos 7.9

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
root@monitor.plslogistics.com ~/certs $ certbot -version
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument -v/--verbose: ignored explicit argument 'ersion'
root@monitor.plslogistics.com ~/certs $

@ccheltenham Welcome to the community.

I see a couple things. First, --standalone is for when you do not have a server listening to port 80. But, you have one - openresty. I know very little about that server except what I saw on their website which is that it is an nginx derivative.

For nginx, the --nginx authenticator is commonly used. But, since your server may be different and it is already listening on port 80 and 443, you might be better off using --webroot instead - something like:

certbot certonly --webroot -w /var/rootdir -d monitor.plslogistics.com --dry-run

Use your server's root folder in place of the sample -w /var/rootdir value.
https://certbot.eff.org/docs/using.html?highlight=webroot%20path

You will also need to be sure your server will respond with the correct value for requests to /.well-known/acme-challenge/Sample-File-123

That is, make sure you have a suitable location setup for it in case other location, if statements, or such would interfere. You can test your server config by making a sample file in that folder and make your own request like this:
http://monitor.plslogistics.com/.well-known/acme-challenge/Sample-File-123

Remove --dry-run once you complete your tests to create a production cert. Update your server definitions to use the file locations for your new certs, reload nginx, and you should be good.

Hope this helps.

Oh gosh, I wish I would have looked here first.
https://crt.sh/?q=plslogistics.com

You have numerous certs from Lets Encrypt for various domain names over several years. Why cant you just use the same method for this domain as you used for those?

I must have gotten confused by your title: 'New to LetsEncrypt'

That should be:
certbot --version

Thanks Mike,

I tried your first command without success.

Trial #1)

root@monitor.plslogistics.com ~ $ certbot certonly -w /var/www/html -d monitor.plslogistics.com --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)

2: Spin up a temporary webserver (standalone)

3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1

Simulating a certificate request for monitor.plslogistics.com

Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

Trial #2)

root@monitor.plslogistics.com /etc/httpd/conf $ certbot certonly -w /var/www/html -d monitor.plslogistics.com --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)

2: Spin up a temporary webserver (standalone)

3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2

Simulating a certificate request for monitor.plslogistics.com

Could not bind TCP port 80 because it is already in use by another process on

this system (such as a web server). Please stop the program in question and then

try again.

You omitted --webroot from my example

Try adding it on the command or choose option 3 for webroot when it prompts

Just wondering - why did you try Apache authenticator? You seem to be running an nginx derivative based on this:

curl -I monitor.plslogistics.com
HTTP/1.1 301 Moved Permanently
Server: openresty
Date: Tue, 28 Sep 2021 20:20:06 GMT
Content-Type: text/html
Content-Length: 166
Connection: keep-alive
Location: https://monitor.plslogistics.com/

This is the same response as when I try your company's www.plslogistics.com domain.

Do you actually have an Apache server? If so, that is a much different situation than seems configured so far.

No , it's nagios.

I tried all three because this process makes no sense to me.

So I'm trying to understand what's going on.

I appreciate your help also , I really do.

I couldn't make heads or tails of this process.

So it's just a nagios server internally.

Once I figure that out , I'll expand it elsewhere.

Thanks

I use -w instead of webroot

root@monitor.plslogistics.com ~ $ cd /var/www/html

root@monitor.plslogistics.com /var/www/html $ ll

total 4

-rwxr-xr-x. 1 root root 3008 Nov 13 2018 index.php

root@monitor.plslogistics.com /var/www/html $ certbot certonly --webroot /var/www/html -d monitor.plslogistics.com --dry-run

usage:

certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,

it will attempt to use a webserver both for obtaining and installing the

certificate.

certbot: error: unrecognized arguments: /var/www/html

root@monitor.plslogistics.com /var/www/html $

You keep omitting part of the required.
You need both:
--webroot
-w

Try:
certbot certonly --webroot -w /var/www/html -d monitor.plslogistics.com --dry-run

This part makes no sense either

${webroot-path}/.well-known/acme-challenge

What is well know challenge ?

What is / . ?

I don’t know what this is

It doesn't have to make sense - like a microwave oven, just push the button and get your hot food in a minute.

Where did you read that?
What does it have to do with whatever instructions you are following?

I tried that it doesn’t work.

root@monitor.plslogistics.com /var/www/html $ certbot certonly --webroot /var/www/html -d monitor.plslogistics.com --dry-run

usage:

certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,

it will attempt to use a webserver both for obtaining and installing the

certificate.

certbot: error: unrecognized arguments: /var/www/html

root@monitor.plslogistics.com /var/www/html $

The second command –

root@monitor.plslogistics.com /var/www/html $ certbot certonly --webroot -w /var/www/html -d monitor.plslogistics.com --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Simulating a certificate request for monitor.plslogistics.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: monitor.plslogistics.com

Type: unauthorized

Detail: The key authorization file from the server did not match this challenge "zwUE2tWTt14P5OupIStBy0Ub1p8OAFM2nePIfr6EqHw.P4UFgXfjBr0N4eoPjwEd_YbkxlzVxxQeBmhCuj3GRXc" != ""

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

root@monitor.plslogistics.com /var/www/html $

Am I supposed to create a key pair?

No; like the microwave example, certbot should do it all and get the cert for you.
But it does need some of your help.
Where did you get /var/www/html from?

On reread, it seems this problem may be better handled within the Nagios support forum:
https://support.nagios.com/forum/

This link might help: NRPE - v3 Enhanced Security (nagios.com)

[I can't be sure as I don't use anything Nagios]

Its document root. There lives index.php

Ok, if I used industry standard services like nginx, straight up Apache , standard tomcat there are built in hooks for common products.

Yes, and if the nagios would actually serve content from that --webroot, that should also work (but it hasn't).

To prove/disprove this...
You can create the expected challenge path and file as follows and then try to retrieve the file from the Internet.

mkdir /var/www/html/.well-known
mkdir /var/www/html/.well-known/acme-challenge
echo "test challenge file" > /var/www/html/.well-known/Test-File-1234

then try:
http://monitor.plslogistics.com/.well-known/acme-challenge/Test-File-1234

[don't alter anything (don't change it to .htm(l) or .txt) - everything is the way it is for a reason]