Trying to generate cert for website in another server, Failed authorization

Hi. I’m trying create a SSL certificate on a server (which is not the server the HTTP website is currently running)

I’ve added A records pointing to the new server (where I will host the HTTPs version)

My domain is:

I ran this command:

sudo certbot --apache -d queirozf.com -d www.queirozf.com

(I ran this on another machine, the one I want to create the certificate in)

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for queirozf.com
http-01 challenge for www.queirozf.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.queirozf.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.queirozf.com/.well-known/acme-challenge/8q7GE1QopyIvJPgL_beT0LMLTb20K85WxnKwmlUWBI0 [23.21.129.78]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", queirozf.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://queirozf.com/.well-known/acme-challenge/x-FOjuFBEdDQ-IHQXsV0JlCrm6Hg70fBJmiWJcu5kuk [23.21.129.78]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.queirozf.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.queirozf.com/.well-known/acme-challenge/8q7GE1QopyIvJPgL_beT0LMLTb20K85WxnKwmlUWBI0
   [23.21.129.78]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   Domain: queirozf.com
   Type:   unauthorized
   Detail: Invalid response from
   http://queirozf.com/.well-known/acme-challenge/x-FOjuFBEdDQ-IHQXsV0JlCrm6Hg70fBJmiWJcu5kuk
   [23.21.129.78]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is:

Godaddy

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

0.31.0

Questions:

  • I don’t understand this .well-known/acme-challenge/ files. Should I create them manually in the current (non-SSL) website? What should be in them?

  • My website ROOT (in the old server) is not /var/www/html, but a different folder. Does that change anything?

The only way to do that would be with DNS authentication.

If what you are trying to do was possible, anyone could get a cert for any domain.

1 Like

But I’ve made the A DNS records point to the new server’s IP address. Only the owner could have done that

Hi @queirozfcom

is this (via https://check-your-website.server-daten.de/?q=queirozf.com )

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
queirozf.com A 23.21.129.78 Ashburn/Virginia/United States (US) - Amazon.com, Inc. Hostname: ec2-23-21-129-78.compute-1.amazonaws.com yes 2 0
AAAA yes

your new ip address? There, where you run your certbot?

If yes, the main things are ok. Port 80 is open and answers with the expected result http status 404 - Not Found.

So Certbot doesn’t understand your config.

What says

apachectl -S
2 Likes

I think I fixed it… the @ A Record was pointing to the old server. I’m now running both versions (HTTP and HTTPS) versions side-by-side and i’ll compare them for a while.

Thanks for helping =)

1 Like