Unable to create a certificate using certbot and configure HAproxy to accept encrypted traffic for your subdomain www

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ejmpa.tech

I ran this command: sudo certbot certonly --standalone

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): ejmpa.tech
Requesting a certificate for ejmpa.tech

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: ejmpa.tech
Type: unauthorized
Detail: 100.25.133.51: Invalid response from http://ejmpa.tech/.well-known/acme-challenge/ASR1JNiH7qr-snGPaByDSn6ofrgwjSIxJ_5JleZjOPA: 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx latest version (1.18.0-0ubuntu1.4).

The operating system my web server runs on is (include version): ubuntu 20.04 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @EJmpa, and welcome to the LE community forum

If you have nginx [as stated],

Why are you using?:

@EJmpa In your setup, the recommended command would usually be something like

sudo certbot --nginx

and not

sudo certbot certonly --standalone

The sudo certbot certonly --standalone command is intended for a very different environment than yours. I imagine @rg305 is concerned that you may be following some kind of tutorial or documentation that doesn't apply to your situation.

In addition to my fellow volunteers above about nginx: how does HAProxy come into play with all that?

The task below led to certificate creation:

Create a certificate using certbot and configure HAproxy to accept encrypted traffic for your subdomain www..

Requirements:

• HAproxy must be listening on port TCP 443
• HAproxy must be accepting SSL traffic
• HAproxy must serve encrypted traffic that will return the / of your web server
• When querying the root of your domain name, the page returned must contain Holberton School
• Share your HAproxy config as an answer file (/etc/haproxy/haproxy.cfg)

Thanks a lot for your contribution. For sake of clarity on my own part, the task below led to certificate creation.

Create a certificate using certbot and configure HAproxy to accept encrypted traffic for your subdomain www..

Requirements:

• HAproxy must be listening on port TCP 443
• HAproxy must be accepting SSL traffic
• HAproxy must serve encrypted traffic that will return the / of your web server
• When querying the root of your domain name, the page returned must contain Holberton School
• Share your HAproxy config as an answer file (/etc/haproxy/haproxy.cfg)

How do you mean, "task"? Like, homework?

Part of a project.

It's possible that in this setup certbot --standalone could be useful, but in that case you should not be running nginx listening on port 80.

I'm not sure if the teacher (?) who proposed this task has a preferred strategy or path to dealing with this or if you can use any option or arrangement. Also if you just need a "demo" solution that would work temporarily but fail to renew the certificate when it expires, or if you need a "sustainable" solution that would in principle continue to work in the future.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.