Sync challenges validation to another server

Can I sync challenges validation to another server(using scp or rsync) instead of that validation is only in that server the domain pointing to?
The server B generating cert is different from the server A that domain pointing to.
server A: xxx.example.com
server B: yyy.example.com

For eg: I want sync cert from B to A the after creating and before testing.

Maybe that logic is in this file, letsencrypt/certbot/plugins/webroot.py, line 203.

I add this code (logger.info(“webroot: %s”, validation_path)), and I run "./letsencrypt-auto certonly --webroot -w /tmp/a/ -m xxx@xxx.com -d xxx.example.com --agree-tos -vvvv"
It does not work.

What should I do? Thanks!

Please help!!

I ran this command:./letsencrypt-auto certonly --webroot -w /tmp/a/ -m xxx@xxx.com -d xxx.example.com --agree-tos

It produced this output:
"

404 Not Found

404 Not Found


"

My web server is (include version):nginx version: openresty/1.9.7.3

The operating system my web server runs on is (include version):CentOS release 6.5 (Final)

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I can think of a couple of options.

You can use a --manual-auth-hook (documented here) to perform the rsync/scp.

You can also redirect requests for challenge resources to an entirely different server and Let’s Encrypt will follow it:

For example,

GET http://xxx.example.com/.well-known/acme-challenge/xx
 
HTTP/1.1 302 Found
Location: http://yyy.example.com/.well-known/acme-challenge/xx

Whichever is easier/more suitable for you.

Tkx.
Actually, xxx.example.com is binding to a CDN, and CDN get source files from OSS in aliyun.com. I can only put the file from that server to OSS. So the second way setting 302 is unworkable.

But I try

./letsencrypt-auto certonly --manual --manual-auth-hook ./authenticator.sh --manual-cleanup-hook ./cleanup.sh -m xxx@xxx.com -d xxx.example.com --agree-tos
[root@haha005 letsencrypt]# cat authenticator.sh cleanup.sh
#!/bin/bash
echo $CERTBOT_VALIDATION > /tmp/a/.well-known/acme-challenge/$CERTBOT_TOKEN
scp -P10022 /tmp/a/.well-known/acme-challenge/$CERTBOT_TOKEN root@xxx.example.com:/opt/nginx/html/acme-challenge/.well-known/acme-challenge/
#!/bin/bash
rm -f /tmp/a/.well-known/acme-challenge/$CERTBOT_TOKEN

It works.

Another good tool for this might be the getssl client, which I believe has a remote webroot feature (which does something basically like this). I’m glad you’ve also found a way to get it to work with Certbot.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.