My domain is: rev79.app
I ran this command:
sudo certbot certonly --expand -d rev79.app,api.rev79.app,sandbox-api.rev79.app,sandbox.rev79.app
I selected to authenticate with this method:
Place files in webroot directory (webroot)
/ for each web root
It produced this output:
Waiting for verification... Cleaning up challenges Failed authorization procedure. api.rev79.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://api.rev79.app/.well-known/acme-challenge/POrPHKURd6RUx2J1ie5NiB67r0oDvKY5cgmEka9QEJY [184.108.40.206]: 404, sandbox.rev79.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sandbox.rev79.app/.well-known/acme-challenge/8_Sqnz-U7Q6abK6jfsWz_LY25ShV1ykXZAAQ8Bv3a-E [220.127.116.11]: 404, sandbox-api.rev79.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sandbox-api.rev79.app/.well-known/acme-challenge/DOWNAFSELbAbgzjOJ4OxxHs0krFnAAh7Sq3v-iKKun4 [18.104.22.168]: 404
My web server is Google cloud running Kubernetes
I know that there’s a path through because I set up a test method at the backend and when I browse to
I get back
I can login to a root shell on my machine
The version of my client is certbot 0.23.0
The issue is that certbot didn’t tell me what it was going to look for before trying to look for it on my server, so I didn’t have a chance to set it up.
I also tried with
--duplicate instead of
--expand and the same thing happened
sudo certbot certonly --expand -d rev79.app,api.rev79.app,sandbox-api.rev79.app,sandbox.rev79.app -a webroot -w pathToYourWebroot
to have a complete command.
Before, create the two subdirectories
there a test file (file name 1234), then try to load that file via
Your main configuration looks ok ( https://check-your-website.server-daten.de/?q=api.rev79.app ):
Port 80 is open, checking a not existing file in /.well-known/acme-challenge there is the expected answer http status 404 - Not Found.
So --webroot should work.
PS: Your Certbot is very old.
Oh … I’ve just realised that it’s probably expecting me to run certbot from the actual web server - so it can create the challenge files itself!
If that’s the case that really should be made a lot clearer - I’ve spent a lot of time on this and I didn’t get that info from anywhere, let alone from the tool itself.
I didn’t know I had an old one. I installed from the Ubuntu repositories last week.
I’m running Ubuntu 18.04.2
If I can’t run certbot from my server, how can I expand my certificate?
You can create a redirect from port 80 + yourserver/.well-known/acme-challenge/all-files -> anotherServer and run certbot on that other server.
The redirect must use port 80 or 443.
If this isn’t possible, you can’t use http-01 validation.
to see if you can use dns-01 - or tls-alpn-01 - validation.
If you want it to behave as you seem to be expecting, use the
--manual option. But ordinarily, yes, certbot expects to run on whatever server you’re seeking a cert for.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.