Certbot get certificate on nginx for subdomain on different server other than domain

Question

I have my domain example.com, which points to an aws ec2 instance at 123.123.123.123. I also have a gitlab instance at a home server, at 231.231.231.231.

The records for my domain are set up as follows:

example.com
A    123.123.123.123
git.example.com
A    231.231.231.231

Nothing strange here: when I type example.com I go to the AWS EC2 instance, and when typing git.example.com I go to my static IP at home. The router sends all requests on port 80 to my Ubuntu server with nginx running the Gitlab instance, and everything works fine.

The nginx conf:

server {
    server_name git.example.com www.git.example.com;

    location /.well-known/acme-challenge/ {
      root /var/www;
      try_files $uri =404;
    }

    location / {
      proxy_pass http://127.0.0.1:4872;
    }

    proxy_set_header  Host               $host;
    proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto  $scheme;
    proxy_set_header  Accept-Encoding    "";
    proxy_set_header  Proxy              "";
}

Now I want to set up SSL with certbot. I use certonly and --dry-run because I just want to test if it works.

sudo certbot certonly --cert-name example --nginx -d "git.example.com,www.git.example.com" --dry-run

The response is an error:

 - The following errors were reported by the server:

   Domain: git.example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://git.example.com/.well-known/acme-challenge/...
   [231.231.231.231]: "<!DOCTYPE html>\n<html>\n<head>\n<meta
   charset=\"utf-8\">\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig"

   Domain: www.git.example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.git.example.com/.well-known/acme-challenge/...
   [231.231.231.231]: "<!DOCTYPE html>\n<html>\n<head>\n<meta
   charset=\"utf-8\">\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

If I try to do it in manual mode, it will succeed:

sudo certbot certonly --manual --preferred-challenges dns -d www.git.example.com -d git.example.com --dry-run

A zones are correctly configured and propagated, as well as AAAA.

I think that maybe certbot is not just trying to check git.example.com and git.example.com at this IP, but also example.com and www.example.com. As it cant access them, returns error.

Anyone knows if I may be right, or if this error comes from a different issue?

Answer 1

Given that is a local server, do you have the HTTP ports open to allow certbot to connect?

Certbot utilizes the port 443 or 80 to challenge the domain, you should probably open it on your firewall. If this is not possible you can try a different challenge, you can find more information here.