The challenges run without first telling me what they'll be

My domain is: rev79.app

I ran this command:
sudo certbot certonly --expand -d rev79.app,api.rev79.app,sandbox-api.rev79.app,sandbox.rev79.app

I selected to authenticate with this method:
Place files in webroot directory (webroot)

I used / for each web root

It produced this output:
Waiting for verification... Cleaning up challenges Failed authorization procedure. api.rev79.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://api.rev79.app/.well-known/acme-challenge/POrPHKURd6RUx2J1ie5NiB67r0oDvKY5cgmEka9QEJY [34.96.111.93]: 404, sandbox.rev79.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sandbox.rev79.app/.well-known/acme-challenge/8_Sqnz-U7Q6abK6jfsWz_LY25ShV1ykXZAAQ8Bv3a-E [34.96.111.93]: 404, sandbox-api.rev79.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sandbox-api.rev79.app/.well-known/acme-challenge/DOWNAFSELbAbgzjOJ4OxxHs0krFnAAh7Sq3v-iKKun4 [34.96.111.93]: 404

My web server is Google cloud running Kubernetes
I know that there’s a path through because I set up a test method at the backend and when I browse to
http://rev79.app/ping
I get back
hello world

I can login to a root shell on my machine

The version of my client is certbot 0.23.0

The issue is that certbot didn’t tell me what it was going to look for before trying to look for it on my server, so I didn’t have a chance to set it up.

I also tried with --duplicate instead of --expand and the same thing happened

Hi @toby-1-kenobi

use

sudo certbot certonly --expand -d rev79.app,api.rev79.app,sandbox-api.rev79.app,sandbox.rev79.app -a webroot -w pathToYourWebroot

to have a complete command.

Before, create the two subdirectories

pathToYourWebroot/.well-known/acme-challenge

there a test file (file name 1234), then try to load that file via

http://api.rev79.app/.well-known/acme-challenge/1234

Your main configuration looks ok ( https://check-your-website.server-daten.de/?q=api.rev79.app ):

Domainname Http-Status redirect Sec. G
• http://api.rev79.app/
34.96.111.93 200 0.410 H
• https://api.rev79.app/
34.96.111.93 200 0.870 N
Certificate error: RemoteCertificateNameMismatch
• http://api.rev79.app/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
34.96.111.93 404 0.397 A
Not Found

Port 80 is open, checking a not existing file in /.well-known/acme-challenge there is the expected answer http status 404 - Not Found.

So --webroot should work.

PS: Your Certbot is very old.

1 Like

Oh ... I've just realised that it's probably expecting me to run certbot from the actual web server - so it can create the challenge files itself!

If that's the case that really should be made a lot clearer - I've spent a lot of time on this and I didn't get that info from anywhere, let alone from the tool itself.

I didn't know I had an old one. I installed from the Ubuntu repositories last week.
I'm running Ubuntu 18.04.2

If I can't run certbot from my server, how can I expand my certificate?

You can create a redirect from port 80 + yourserver/.well-known/acme-challenge/all-files -> anotherServer and run certbot on that other server.

The redirect must use port 80 or 443.

If this isn't possible, you can't use http-01 validation.

Check

to see if you can use dns-01 - or tls-alpn-01 - validation.

1 Like

If you want it to behave as you seem to be expecting, use the --manual option. But ordinarily, yes, certbot expects to run on whatever server you're seeking a cert for.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.