I ran this command: sudo certbot certonly --expand -d rev79.app,api.rev79.app,sandbox-api.rev79.app,sandbox.rev79.app
I selected to authenticate with this method:
Place files in webroot directory (webroot)
I used / for each web root
It produced this output: Waiting for verification... Cleaning up challenges Failed authorization procedure. api.rev79.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://api.rev79.app/.well-known/acme-challenge/POrPHKURd6RUx2J1ie5NiB67r0oDvKY5cgmEka9QEJY [34.96.111.93]: 404, sandbox.rev79.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sandbox.rev79.app/.well-known/acme-challenge/8_Sqnz-U7Q6abK6jfsWz_LY25ShV1ykXZAAQ8Bv3a-E [34.96.111.93]: 404, sandbox-api.rev79.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sandbox-api.rev79.app/.well-known/acme-challenge/DOWNAFSELbAbgzjOJ4OxxHs0krFnAAh7Sq3v-iKKun4 [34.96.111.93]: 404
My web server is Google cloud running Kubernetes
I know that there’s a path through because I set up a test method at the backend and when I browse to http://rev79.app/ping
I get back hello world
I can login to a root shell on my machine
The version of my client is certbot 0.23.0
The issue is that certbot didn’t tell me what it was going to look for before trying to look for it on my server, so I didn’t have a chance to set it up.
Oh ... I've just realised that it's probably expecting me to run certbot from the actual web server - so it can create the challenge files itself!
If that's the case that really should be made a lot clearer - I've spent a lot of time on this and I didn't get that info from anywhere, let alone from the tool itself.
I didn't know I had an old one. I installed from the Ubuntu repositories last week.
I'm running Ubuntu 18.04.2
If I can't run certbot from my server, how can I expand my certificate?
If you want it to behave as you seem to be expecting, use the --manual option. But ordinarily, yes, certbot expects to run on whatever server you're seeking a cert for.