It produced this output: Congratulations! Yet when I visit SF or DF, I receive the following message:
This server could not prove that it is [SF/DF]; its security certificate is from api.mnactivist.org. This may be caused by a misconfiguration or an attacker intercepting your connection.
When I proceed to the website, past the warning, MA is then displayed, instead of SF or DF
This all went sideways when I updated the system.
Ought I now extend the single certificate to cover all the domains on the Linode ?
My web server is (include version): Nginx 1.12.2
The operating system my web server runs on is (include version): Updated Arch Linux 4.14.17-x86_64-linode99
My hosting provider, if applicable, is: Linode
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
This is not correct if you add -i nginx, which asks to use the nginx installer. That would install the resulting certificate in the same way that --nginx would have.
However, the certificate on the Screamfreely site is now working fine for me. So I think the -i nginx worked properly here. Are you seeing something different?
This server could not prove that it is screamfreely.org; its security certificate is from api.mnactivist.org. This may be caused by a misconfiguration or an attacker intercepting your connection.
I have cleared my browser cache since “All Time” — ?
I suppose you are trying to reach your domain using IPv6 and that is the reason you get the wrong certificate, you are not configuring your web server properly. Using IPv4 it works fine, your server shows the right cert.
Edit: Just to show you how your nginx is serving different certificates depending on whether you connect using IPv4 and IPv6.
$ echo | openssl s_client -4 -connect screamfreely.org:443 -servername screamfreely.org 2>/dev/null | openssl x509 -noout -text | grep -Ei '(Before:|Issuer:|DNS:)' | sed "s/^[ \t]*//"
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Not Before: Feb 27 16:26:48 2018 GMT
DNS:screamfreely.org, DNS:www.screamfreely.org
$ echo | openssl s_client -6 -connect screamfreely.org:443 -servername screamfreely.org 2>/dev/null | openssl x509 -noout -text | grep -Ei '(Before:|Issuer:|DNS:)' | sed "s/^[ \t]*//"
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Not Before: Feb 13 00:03:30 2018 GMT
DNS:api.mnactivist.org, DNS:mnactivist.org, DNS:www.mnactivist.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for dreamfreely.org
tls-sni-01 challenge for www.dreamfreely.org
2018/02/27 14:27:07 [notice] 15162#15162: signal process started
Waiting for verification…
Cleaning up challenges
2018/02/27 14:27:13 [notice] 15174#15174: signal process started
Failed authorization procedure. dreamfreely.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 7c530d72c232e18bdf75855de89a1447.e0c304986cf253cf832694ae2db9733b.acme.invalid from [2600:3c00::f03c:91ff:febb:adc4]:443. Received 2 certificate(s), first certificate had names “api.mnactivist.org, mnactivist.org, www.mnactivist.org”, www.dreamfreely.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 1161cee2dbc3202f1de1affa8c95f6fa.fd7d3565be7543697ce4fad0d70922b9.acme.invalid from [2600:3c00::f03c:91ff:febb:adc4]:443. Received 2 certificate(s), first certificate had names “api.mnactivist.org, mnactivist.org, www.mnactivist.org”
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: dreamfreely.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
7c530d72c232e18bdf75855de89a1447.e0c304986cf253cf832694ae2db9733b.acme.invalid
from [2600:3c00::f03c:91ff:febb:adc4]:443. Received 2
certificate(s), first certificate had names “api.mnactivist.org, mnactivist.org, www.mnactivist.org”
Domain: www.dreamfreely.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
1161cee2dbc3202f1de1affa8c95f6fa.fd7d3565be7543697ce4fad0d70922b9.acme.invalid
from [2600:3c00::f03c:91ff:febb:adc4]:443. Received 2
certificate(s), first certificate had names “api.mnactivist.org, mnactivist.org, www.mnactivist.org”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Is this again because the server isn’t listening to ipv6 in that configuration?
I think I have one more chance left before I’m rate limited; and so wish to ask before attemping.
The rate limit for failed validations only lasts for an hour, not a week, so it's not that bad if you fail it. You can also try with --staging to debug the situation first, which doesn't count against your production rate limit.
