Thanks
1 Like
I get a zero byte file.
-rw-r--r-- 1 root root 0 Sep 28 22:06 Test-File-1234
root@monitor.plslogistics.com /var/www/html $ http://monitor.plslogistics.com/.well-known/acme-challenge/Test-File-1234
-bash: http://monitor.plslogistics.com/.well-known/acme-challenge/Test-File-1234: No such file or directory
root@monitor.plslogistics.com /var/www/html $
More specifically –
mkdir: cannot create directory ‘/var/www/html/.well-known’: File exists
root@monitor.plslogistics.com /var/www/html $ mkdir /var/www/html/.well-known/acme-challenge
mkdir: cannot create directory ‘/var/www/html/.well-known/acme-challenge’: File exists
root@monitor.plslogistics.com /var/www/html $ echo "test challenge file" > /var/www/html/.well-known/Test-File-1234
root@monitor.plslogistics.com /var/www/html $ cat /var/www/html/.well-known/Test-File-1234
test challenge file
root@monitor.plslogistics.com /var/www/html $ http://monitor.plslogistics.com/.well-known/acme-challenge/Test-File-1234
-bash: http://monitor.plslogistics.com/.well-known/acme-challenge/Test-File-1234: No such file or directory
root@monitor.plslogistics.com /var/www/html $
root@monitor.plslogistics.com /var/www/html/.well-known/acme-challenge $ cat /var/www/html/.well-known/acme-challenge/Test-File-1234
test challenge file
root@monitor.plslogistics.com /var/www/html/.well-known/acme-challenge $ http://monitor.plslogistics.com/.well-known/acme-challenge/Test-File-1234
-bash: http://monitor.plslogistics.com/.well-known/Test-File-1234: No such file or directory
root@monitor.plslogistics.com /var/www/html/.well-known/acme-challenge $
Please "execute" that in a browser - and from a computer on the Internet (not form your internal server nor network).
http://monitor.plslogistics.com/.well-known/Test-File-1234
I think this is the problem in the logs –
certbot.errors.AuthorizationError: Some challenges have failed.
root@monitor.plslogistics.com /tmp $ cat /var/log/letsencrypt/letsencrypt.log | grep failed
2021-09-28 19:56:33,235:INFO:certbot._internal.auth_handler:Challenge failed for domain monitor.plslogistics.com
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-09-28 19:56:33,237:ERROR:certbot._internal.log:Some challenges have failed.
Stop testing (trying to get a cert) until you can reach the test file in a browser.
I know LE fails.
The tests on the test file fail.
curl -Iki http://monitor.plslogistics.com/.well-known/Test-File-1234
HTTP/1.1 301 Moved Permanently
Location: https://monitor.plslogistics.com/.well-known/Test-File-1234
curl -Iki https://monitor.plslogistics.com/.well-known/Test-File-1234
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
Yes it does work once I added the host to DNS
Are you asking me to run those curl commands ?
I can reach the test file with a browser.
It appears to drop some key on the server to test it's validity.
The download of that key may be blocked is my concern.
No.
It was to show how it fails from where I am.
I still can't 
No , it's only internal monitoring. Its not supposed to be public.
Hi @ccheltenham
In order for you to get a certificate from Let's Encrypt, the Let's Encrypt CA will need to confirm that you really control the server for which you request a certificate. (A publicly-trusted certificate can only be issued when your control of that server has been independently verified by a certificate authority.)
Most often, this is done by having Let's Encrypt make incoming connections to your server over the Internet.
If it's deliberately not possible for others to connect to your web server from the Internet at all, then none of the methods you're using with Certbot would be expected to work, because they all rely on this.
Your other option would be the DNS challenge type, which is usually more difficult because it requires integration with your DNS servers.
2 Likes
Yes , thanks I realize that now. I am trying from an internal ip address 10.x.x.x which is not routable to the outside.
Thanks again, I think I get it now.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.