Reputation: 2314
certbot create certificate on two different ec2 instances
The Problem
I have two EC2 instances running. One EC2 instance is currently hosting my website https://thechrisbolton.com which you can see has a valid letsencrypt certificate. I want to create a certificate on my second EC2 instance where I will deploy my application. Once my application is deployed on the second EC2 instance, I am going to destroy the first one. However, I cannot get a certificate created on the second EC2 instance.
The Error
- The following errors were reported by the server:
Domain: thechrisbolton.com
Type: unauthorized
Detail: Invalid response from
https://thechrisbolton.com/.well-known/acme-challenge/kITr3I__o6eb_WH2cguR200gWnt998DN1s8xamtPIbM
[3.234.11.212]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx/1.18.0</ce"
Domain: www.thechrisbolton.com
Type: unauthorized
Detail: Invalid response from
https://www.thechrisbolton.com/.well-known/acme-challenge/DhzxfraTsUeN3a7bXQhfzS36CTHRzlBUWVAHceD
ETB8
[3.234.11.212]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx/1.18.0</ce"
What I've tried
$ certbot certonly --standalone -d thechrisbolton.com -d www.thechrisbolton.
com
I have read through the certbot documentation to try and find a way to pull create an existing certificate. The only thing that looks like it might work is the --duplicate flag. But that states, Most users will not need to issue this command in normal circumstances. so I feel like I am doing something wrong if I use that.
Upvotes: 0
Views: 902
Answers (1)
Reputation: 1425
The reason you cannot get a certificate created on the second EC2 instance. Is because the domain https://thechrisbolton.com/ is not pointing to the second EC2 instance.
How it works
(I have simplified the processes just for the sake for explanation.)
The way certbot works is, it sends a request to "Let's Encrypt" for issuing the certificate for the given domain (which in this case is https://thechrisbolton.com/). In response to that request, "Let's Encrypt" (aka LE) gives certbot a file (aka the challenge) which it needs to put at a location which is accessible via internet from this url http://<requested-domain>/.well-known/acme-challenge/. Certbot does exactly that and puts the file at the location that you give it at the time of running the certbot --certonly command (You have used the option --standalone in that case certbot spins up it's own server on port 80 and makes the file available at location /.well-known/acme-challenge/), then it call the "Let's Encrypt" again saying that the file is ready, give me the certificate. LE then hits this URL to verify that the file is available on the given location or not. If it finds the file, then only it issues the certificate. All of this is done to make sure that the person who is asking for certificate owns the domain he is asking the certificate for.
What is the solution?
If you are using static IP then simply point the static IP to new EC2 instance and move the certificates to the new machine and it should work.
In case you cannot do that then update your DNS entry to point to the public IP of the new EC2 instance and run the same certbot command. Which you are running right now.
Upvotes: 1
Related Questions
- Certbot unable to locate environment variable credentials
- How to setup Let's Encrypt's certificate in AWS Elastic Load Balancer
- AWS Linux 2 - Lets Encrypt Multi Domain
- Let's encrypt certbot on AWS Linux
- Let's Encrypt via certbot on Shared Linux Server
- certbot SERVFAIL looking up A fordomain
- Amazon's AWS ElasticBeanstalk Let's Encrypt CertBot
- Certbot Multiple plugin: Authenticate with one plugin and configure with another
- Let's Encrypt SSL certs for same domain, multiple instances
- certbot-auto / letsencrypt setting up one key for multiple domains pointing to the same server