Obtain cert through ELB


#1

I could not obtain for my EC2 instalce (Ubuntu) through ELB. Please help.

I have an EC2 instance running behind a ELB. CName for the ELB is already registered to my DNS server.

> nslookup my.domain.name
Server:         172.31.0.2
Address:        172.31.0.2#53

Non-authoritative answer:
my.domain.name        canonical name = mydomainname-elb-xxx.us-west-2.elb.amazonaws.com
Name:   mydomainname-elb-xxx.us-west-2.elb.amazonaws.com
Address: xx.xx.xx.xx
Name:   mydomainname-elb

I opened 80 and 443 port for the ELB to 0.0.0.0. My EC2 instance opens 80 and 443 port to the ELB.

But when I tried to obtain a cert I got this message.

sudo ./letsencrypt-auto certonly -a standalone -d my.domain.name
Failed authorization procedure. my.domain.name (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested d5d463cd89a21d513279407cada3c1fc.733bc45648ce9a4ee7904ace56a6296c.acme.invalid from xx.xx.xx.xx:443. Received certificate containing 'my.domain.name'

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: my.domain.name
   Type:   unauthorized
   Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
   Requested
   d5d463cd89a21d513279407cada3c1fc.733bc45648ce9a4ee7904ace56a6296c.acme.invalid
   from xx.xx.xx.xx:443. Received certificate containing
   'my.domain.nam'

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

#2

TLS-SNI-01 validation, which is what standalone defaults to, only works if you run it on the host that terminates TLS for your domain. If a load balancer like ELB (or a reverse proxy like CloudFlare, etc.) is involved, that’s not the case.

You can use HTTP-01 by appending --standalone-supported-challenges http-01 to your command (or use --webroot if you have an existing web server listening on port 80).


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.