Here I am trying to consume API which use two way SSL Authentication. So, Here to generate Client Side Certificate, I used below mentioned 3 tools:
- I set up and nginx server.
- Then I tunneled it by using ngrok.
- Now I am trying to obtain SSL Certificate through certbot tool, However I am facing below errors:
C:\PROGRA~2\Certbot>certbot -v certonly --standalone -d f345-15-207-23-139.in.ngrok.io Saving debug log to C:\Certbot\log\letsencrypt.log Plugins selected: Authenticator standalone, Installer None Requesting a certificate for f345-15-207-23-139.in.ngrok.io Performing the following challenges: http-01 challenge for f345-15-207-23-139.in.ngrok.io Waiting for verification... Challenge failed for domain f345-15-207-23-139.in.ngrok.io http-01 challenge for f345-15-207-23-139.in.ngrok.io
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems: Domain: f345-15-207-23-139.in.ngrok.io Type: unauthorized Detail: 2406:da1a:e91:9300::6e:3: Invalid response from https://acme.ngrok.com/.well-known/acme-challenge/ZCLyhCyMTJl-mHlhT84J1DwS41KPCyq48xj65CtUPr0?host=f345-15-207-23-139.in.ngrok.io: 404
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Cleaning up challenges Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.
Mutual TLS (mTLS) usually does not require validated certificates on the client side. That means you do not need to jump through hoops with Let's Encrypt which would not work as you are trying to do.
Normally, self-signed certificates are used. The server/backend either generates the certificate for you, which you download, or you generate a self-signed certificate that you uploaded to the server or give to an admin to install. Normally that is just the public certificate.
Some servers use CA issued identity certificates (similar to ones used to sign email).
Just having a certificate is not enough. The server side must be configured with knowledge of your client certificate.
Contact the admin/support for the server you are connecting to and ask then what is required and how to get set up.