Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
My web server is (include version): www.me-n-you.com (node.js 8.11.1 on aws)
The operating system my web server runs on is (include version):
ubuntu 16.04 on aws
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): AWS
More Info:
I am using aws. The DNS is AWS route 53.
My web application is on www.me-n-you.com. My mail server is on mail.me-n-you.com. They are on different hosts.
It looks like you're running Certbot on your web server rather than on your mail server. But to obtain a certificate for your mail server, you should run Certbot directly on the mail server.
If you plan to always have Apache running on that system (as it currently is), you might want to try certbot --apache instead of certbot --standalone (the letsencrypt program was renamed to certbot two years ago). If you do want to use --standalone, you'll need to stop Apache whenever you obtain or renew the certificate (which can be automated with --pre-hook and --post-hook options), because a running Apache would conflict with --standalone.
A certificate obtained using --apache can still be used by Postfix.
So, your existing letsencrypt command will already support these options, and you might not need to upgrade it (although it may have some bugs or missing functionality compared to later versions). You could try using letsencrypt instead of certbot; I didn’t specifically mean to suggest that you had to upgrade to a new version of the client application.
If you do want to get a current version of Certbot on 16.04, we recommend using the PPA, as described in
Thank you very much.
I have removed the letsencrypt since it doesn't have the certbot command.
and I have successfully installed certbot using PPA.
However, when I tried to get certificates, It still failed.
certbot run --apache -d me-n-you.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for me-n-you.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. me-n-you.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://me-n-you.com/.well-known/acme-challenge/phgbCV47O9CZHLto_5EWuH_JkC0_5NVtEa-RmjSMvXo: "<meta name="viewport" content="width=device-width, initial-scale=1, s"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Same for remove the -d me-n-you.com option. It asked me to enter my domain and get failed too.
Sorry, I don’t mean the OS version, I mean what’s the server name? The error you saw is characteristic of running Certbot on a server that doesn’t actually serve the site for which you’re requesting the certificate.
But you’re most recently trying to get a certificate for me-n-you.com, not mail.me-n-you.com. The name me-n-you.com points to a different server, 54.245.151.14, which is presumably a different AWS instance.
In order to get a certificate for me-n-you.com, you should run Certbot on the 54.245.151.14 instance. In order to get a certificate for mail.me-n-you.com, you should run Certbot on the 34.209.16.38 instance. In each case, you would specify the name that the certificate should apply to with the -d option.
Yes, you are right.
I have told you this in my previous post that I have 2 aws instances.
So the -d option is not for domain, it is for the server name. Please correct me if I am wrong.
So the correct command I should run is:
certbot run -apache -d mail.me-n-you.com
Sorry, we often use the term “domain name” informally to mean the complete DNS name that will be listed in the certificate. I realize that this isn’t necessarily the most precise use of terminology. (In PKI terminology it might better be described as a “subject name” and in DNS terminology as a “fully-qualified domain name”.)
But indeed, you should run on the mail server itself and provide -d mail.me-n-you.com.
The --apache option is a long option and so following the GNU getopt command line syntax it requires two dashes, --apache rather than -apache.