Obtaining a new certificate
Performing the following challenges:
http-01 challenge for help.mydomain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. help.mydomain.com (http-01): urn:acme:error:unauthorized :: The client lacks suffic
ient authorization :: Invalid response from http://help.mydomain.com/.well-known/acme-challenge/oP34Chb4MTpNYQw3NXz
B4YcpOOLur2p1BY8HhCt5NDk: "<!doctype html>
<html lang="en" data-direction="ltr">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: help.mydomain.com
Type: unauthorized
Detail: Invalid response from
http://help.mydomain.com/.well-known/acme-challenge/oP34Chb4MTpNYQw3NXzB4YcpOOLur2p1BY8HhCt5NDk:
"<!doctype html>
<html lang="en" data-direction="ltr">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
The operating system my web server runs on is (include version): CentOS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
It’s looking for .well-known/acme-challenge/oP34Chb4MTpNYQw3NXz B4YcpOOLur2p1BY8HhCt5NDk which I don’t know if Certbot is supposed to add that itself, or I need to add it manually? if the latter, how do I know what to put in the content? It tells me part of the HTML but then cuts off.
I’m doing the HTTP verification and would ideally like to use just that.
The nginx plugin to Certbot attempts to parse the nginx configuration, identify the virtual host, temporarily modify the configuration as necessary and, create the validation file and serve the request from the web root.
You can try to hold Certbot's hand a bit if that is failing by using the webroot authenticator and passing the webroot manually:
./certbot-auto -a webroot -i nginx -w /var/www/html -d help.voodoosms.com
Your domain (help.voodoosms.com) appears to point to custom.intercom.help via CNAME. Based on my short research, this is a hosted platform/SaaS, which means it would not resolve to your nginx server.
Do you actually control the server where this domain currently points?
(Off-topic: Wow. That is a massive hack. -1 to Intercom for even suggesting it. I’d suggest following the Cloudfront or Cloudflare route instead).
There’s a few things that need to change in order to achieve what you want
Point the domain at your TLS proxy
First thing, the domain (help.voodoosms.com) needs to point at your nginx server before you do anything. Otherwise you will not be able to issue a certificate. Don’t continue until you’ve done that.
Fix your TLS proxy configuration
Next, your nginx configuration needs to match exactly what appears in the Intercom docs. The following line isn’t going to work because it’s going to be self-referential. So change it:
proxy_pass https://help.voodoosms.com;
needs to be reverted back to:
proxy_pass https://custom.intercom.help;
I think you also need to add
listen 80;
Exclude the Let’s Encrypt validation path and issue the certificate
Add this to the nginx configuration on the TLS proxy: