Unauthorised When trying to use Standalone certbot

My domain is:

I ran this command:
sudo certbot certonly --standalone -d greenjames.co.uk -d www.greenjames.co.uk

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for greenjames.co.uk
http-01 challenge for www.greenjames.co.uk
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.greenjames.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.greenjames.co.uk/.well-known/acme-challenge/aZ_CoEN8JGRJixgHFV_1mpka3WMHRzu6pPvfCT9eCYI [184.168.131.241]: "\n\n\n\n greenjames", greenjames.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://greenjames.co.uk/.well-known/acme-challenge/9UxiNBPCrYolnCn1KsRpI3lY-gMq6f1meYcQHQGhav0 [184.168.131.241]: "\n\n\n\n greenjames"

IMPORTANT NOTES:

My web server is (include version):
N/A using certbot --standalone so it spins up its own server

The operating system my web server runs on is (include version):
(Raspberry pi)
Linux version 5.4.79-v7+ (dom@buildbot) (gcc version 8.4.0 (Ubuntu/Linaro 8.4.0-3ubuntu1)) #1373 SMP Mon Nov 23 13:22:33 GMT 2020

My hosting provider, if applicable, is:
Server running on premise (not a big datacentre just my house with a big do NOT UNPLUG sign)

(I bought my domain name from godaddy)

I can login to a root shell on my machine (yes or no, or I don't know):
Yes I can
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

How the DNS is setup

Godaddy:
Forwarding with masking setup pointing to URL greenjames.ddns.net

noIP:
greenjames.ddns.net points to $MyhomeIP:80

Home Router: setup to forward port 80 to pi

To test the domain name setup I hosted a apache server on the pi on port 80 then went to greenjames.co.uk and confirm I can access the site.

2 Likes

Domain masking isn't compatible with this method of obtaining a certificate.

This is because the domain still points at GoDaddy's servers and uses some browser tricks (frames) to make your site appear. Let's Encrypt doesn't understand these browser-levels tricks. For the same reason, you wouldn't be able to use an SSL certificate either, since it'd have to be installed on GoDaddy's servers rather than on your Pi.

You need to remove the domain masking and instead point the domain directly at your internet connection, using a DNS (A, CNAME) record.

You might run into some trouble if you want to continue using the ddns.net domain though, since it is not possible to put a CNAME directly on the bare domain (greenjames.co.uk). Instead, I recommend doing away with the ddns.net domain entirely, and instead setting DDNS up on greenjames.co.uk directly, using the GoDaddy API. Something like this should do the job, but there seem to be a lot of solutions around if you just search for "godaddy ddns".

Finally, --standalone is for when you have no webserver. If you have a webserver running when Certbot runs, you should use --apache or --webroot or whatever is suitable for you.

3 Likes

Hey thanks for your answer.

The only issue with Pointing the godaddy domain directly as my home internet connection is I don’t have a static IP address.

The noIP service offers me a free .ddns domain with an client on my pi that updates that when my IP changes.

I did look into writing a custom python script to update the godaddy DNS records, when my IP address changes but when I realised Propagation time was 600 seconds I thought that was a bit too long to wait.

What’s the solution to do this with a outfacing dynamic IP?

2 Likes

If every device in your network uses the same single external IP (from your ISP), then you can use any of those devices to synchronize the DDNS IP.
Which means that opens up the number of clients and DDNS services that you can use.
So just look for one that has a much lower time (if that is critical for you) and use it with whatever client works for you.
At your DNS zone you simple need to CNAME your real name to that DDNS name.

NOTE: You may not be able to CNAME the apex - so hopefully the name you need to use is longer than that.

1 Like

If GoDaddy's minimum TTL of 600 poses a problem for you, you could, for example, delegate your domain to Cloudflare's free DNS hosting. The minimum TTL there is 120s. That "dness" project I linked also supports updating Dynamic DNS for Cloudflare.

In fact, if you did use Cloudflare's DNS hosting, you could take advantage of their "CNAME flattening" feature to setup DNS your records like this:

greenjames.co.uk.        CNAME    greenjames.ddns.net.
www.greenjames.co.uk.    CNAME    greenjames.co.uk.

and it should just work from there, without having to alter your DDNS setup.

Either way, solving this properly probably involves not using GoDaddy's DNS hosting anymore. You don't need to transfer your domain to do this, just point your nameservers elsewhere. If it doesn't work out you can always revert to what you have now, no damage done.

1 Like