0

The Problem

I have two EC2 instances running. One EC2 instance is currently hosting my website https://thechrisbolton.com which you can see has a valid letsencrypt certificate. I want to create a certificate on my second EC2 instance where I will deploy my application. Once my application is deployed on the second EC2 instance, I am going to destroy the first one. However, I cannot get a certificate created on the second EC2 instance.

The Error

- The following errors were reported by the server:

   Domain: thechrisbolton.com
   Type:   unauthorized
   Detail: Invalid response from
   https://thechrisbolton.com/.well-known/acme-challenge/kITr3I__o6eb_WH2cguR200gWnt998DN1s8xamtPIbM
   [3.234.11.212]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0</ce"

   Domain: www.thechrisbolton.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.thechrisbolton.com/.well-known/acme-challenge/DhzxfraTsUeN3a7bXQhfzS36CTHRzlBUWVAHceD
ETB8
   [3.234.11.212]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0</ce"

What I've tried

$ certbot certonly --standalone -d thechrisbolton.com -d www.thechrisbolton. com

I have read through the certbot documentation to try and find a way to pull create an existing certificate. The only thing that looks like it might work is the --duplicate flag. But that states, Most users will not need to issue this command in normal circumstances. so I feel like I am doing something wrong if I use that.

Chris Bolton
  • 2,162
  • 4
  • 36
  • 75

1 Answers1

1

The reason you cannot get a certificate created on the second EC2 instance. Is because the domain https://thechrisbolton.com/ is not pointing to the second EC2 instance.

How it works

(I have simplified the processes just for the sake for explanation.)

The way certbot works is, it sends a request to "Let's Encrypt" for issuing the certificate for the given domain (which in this case is https://thechrisbolton.com/). In response to that request, "Let's Encrypt" (aka LE) gives certbot a file (aka the challenge) which it needs to put at a location which is accessible via internet from this url http://<requested-domain>/.well-known/acme-challenge/. Certbot does exactly that and puts the file at the location that you give it at the time of running the certbot --certonly command (You have used the option --standalone in that case certbot spins up it's own server on port 80 and makes the file available at location /.well-known/acme-challenge/), then it call the "Let's Encrypt" again saying that the file is ready, give me the certificate. LE then hits this URL to verify that the file is available on the given location or not. If it finds the file, then only it issues the certificate. All of this is done to make sure that the person who is asking for certificate owns the domain he is asking the certificate for.

What is the solution?

If you are using static IP then simply point the static IP to new EC2 instance and move the certificates to the new machine and it should work.

In case you cannot do that then update your DNS entry to point to the public IP of the new EC2 instance and run the same certbot command. Which you are running right now.

Yogeshwar Singh
  • 1,245
  • 1
  • 10
  • 22