Please help setting up certificates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://humanideas.org

I ran this command: sudo certbot certonly -d humanideas.org --nginx

It produced this output: Requesting a certificate for humanideas.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:

Domain: humanideas.org

Type: unauthorized

Detail: 3.33.152.147: Invalid response from http://humanideas.org/.well-known/acme-challenge/XFYV7xqRw40uFFx46poYkUkzG_tcAJI4L-KOurtDwRM: 403

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[ec2-user@ip-172-31-43-127 ~]$ sudo certbot -v -d humanideas.org --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Requesting a certificate for humanideas.org

Performing the following challenges:

http-01 challenge for humanideas.org

Waiting for verification...

Challenge failed for domain humanideas.org

http-01 challenge for humanideas.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:

Domain: humanideas.org

Type: unauthorized

Detail: 3.33.152.147: Invalid response from http://humanideas.org/.well-known/acme-challenge/nvAJwvwkWVcU2fVjbAo6c8_DR8hq6SWKhkbJQ2LbtZs: 403

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): awselb/2.0

The operating system my web server runs on is (include version): Amazon Linux 2023

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.10.0

With AWS ELB why not just use the certs from AWS ACM?

Getting a cert for a domain with multiple IP addresses is difficult with the HTTP Challenge. Each of the IP addresses must respond to the challenge with the correct token. But, in your Certbot example Certbot only places the token on one of your servers (the one it runs on).

Even if you could resolve the reason for the 403 error you would have the problem of multiple IP to solve. Or switch to the DNS Challenge. I would first look at ACM unless you can describe more why you need separate cert from that

Here is a test challenge just for further info. Note the WAFRule:4 is probably the cause of the 403

curl -i http://humanideas.org/.well-known/acme-challenge/Test404
HTTP/1.1 403 Forbidden
Server: awselb/2.0
WAFRule: 4

Thank you very much for your help! It is the first time I'm launching a website so I didn't know about ELB or ACM.
About the multiple IPs, I think I only have an IPv4 adress that is public (I can't access the web page using IPv6).
I wanted to use certbot because it seems to be the most popular option... but I will see how it goes with AWS ELB/ACM.
Thanks again

Your domain's DNS points to the IP for the ELB. These are what clients (like user browsers) connect to:

humanideas.org.	0	IN	A	3.33.152.147
humanideas.org.	0	IN	A	15.197.142.173

The ELB controls your EC2 instances. This is a fairly advanced configuration especially for your first website. There are many AWS docs and videos for configuring this. Here is one provided by Amazon Web Services you may find helpful

Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.