I'm running grafana server (port 3000) into a private instance. I wish to install https feature via certbot but I get the following failed message. Do you have some advices to resolve this message please ?
I ran this command: sudo certbot certonly --standalone
It produced this output:
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): flumeinternet.com
Requesting a certificate for flumeinternet.com
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: flumeinternet.com
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge "wKx4mJdWIhgnquOxnajs9maJPYf_oBVQ3OctwrMfbVA.uRGGHW-zabCjIlpPXEuVC4257KNh0ThNjbwG4XRUeeQ" != ""
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
The operating system my web server runs on is (include version): Debian 10 in an EC2 aws instance
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.26.0
There's an OpenResty webserver answering on port 80. Answering with HTTP 200 OK status on any request for random files within the /.well-known/acme-challenge/ path. It looks like this is not compatible with your --standalone attempt using Certbot.
Could you perhaps explain more about the infrastructure of your setup? I also saw Varnish somewhere in the headers..
This server is a server located into an EC2 instance server. It's use for grafana. Actually the security group allow internal flow (on our private subnet) to have access to grafana port3000. On the public side, only outside flow it's granted. There is not firewall rules on the server.
Only just grafana and prometheus have been installed.
Fact: Let's Encrypt requires to be able to connect from the internet to port 80 on your host. It needs to download the token present at the /.well-known/acme-challenge/ path. Currently this is not possible.
I also see different DNS for your apex and this grafana domain name. That's OK but it often isn't what people intend so I thought I'd mention it.
Your grafana DNS points to an EC2 instance which does not have port 80 open. Check the EC2 security group. It will also need port 443 open to respond to https requests
Your apex DNS points to an AWS Global Accelerator. This has ports 80 and 443 open.
