Apache 2.4 Debian 8 - TLS-SNI Challenge Not Passing with Certbot


#1

Please fill out the fields below so we can help you better.

My domain is: skooly.es

I ran this command: certbot --apache

It produced this output: IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.skooly.es
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    889fc32fdfb1b0436ad1635ff8a427f5.d1cdfc58fb8146d3b9fd16305757c03f.acme.invalid
    from 173.212.225.211:443. Received 1 certificate(s), first
    certificate had names
    "679cc0abe95d875aa2d4f67927193aa9.e4aedb119eb73dfee0f2e4299601a3c8.acme.invalid,
    dummy"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.


Hello,
I am new to the hosting stuff and just installed a VPS with 5 different domains set up as vhost on it. Websites run, and mail has been installed via Webcow.
The server runs DEBIAN 8 with Apache 2.4.

I tried the DNS challange verification, but receive the error message above.
Must be due to the port 443, as currently the port is been used by the mailserver which I set up and which used the default installation snakeoil certificate.

Tried to sort it our myself reading some of the helpful entries here in this great community, but cannot solve it.
SSL engine is on, port 443 is open and run by mailserver.

ServerSignature off TraceEnable off AddDefaultCharset utf-8 ServerName "mail.skooly.es" DocumentRoot /var/www/mail ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/mail/mail.crt SSLCertificateKeyFile /etc/ssl/mail/mail.key

Do I need to turn it off during verification ?
Or include something also for port 443 ?

Thanks for your help in advance.

Best from Barcelona, Michel


#2

Hi @urbanski,

certbot --apache requires port 443 to be usable by Apache. If it’s not, you should use a different method. If you need help choosing one, please let us know more about your server configuration in terms of the server software and ports that are in use.


#3

Hello @schoen, thx for your reply:
my ports.conf in Apache is:

Listen 80

Listen 443
Listen 8443


Listen 443
Listen 8443

And my apache2/sites-enabled/000-default.conf is only specifying port 80:

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

And my default-ssl.conf:

ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

            SSLEngine on
            SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

            <FilesMatch "\.(cgi|shtml|phtml|php)$">
			SSLOptions +StdEnvVars
	</FilesMatch>
	<Directory /usr/lib/cgi-bin>
			SSLOptions +StdEnvVars
	</Directory>

           BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

Does this help?
So it should be usable port 443.
Yesterday I opened port 8443 for the mail server (instead 443) to avoid any possible conflicts, restarted apache and the whole server, but I still get the same error message when running the DNS challenge.


#4

hi @urbanski

I tried the DNS challange verification, but receive the error message above.

Nope - you are trying to do a TLS-SNI challenge

Certbot --apache will only work with TLS-SNI challenges

looking at your error it’s not related to ports but rather the SSL Certificate that is generated

Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
889fc32fdfb1b0436ad1635ff8a427f5.d1cdfc58fb8146d3b9fd16305757c03f.acme.invalid
from 173.212.225.211:443. Received 1 certificate(s), first
certificate had names
"679cc0abe95d875aa2d4f67927193aa9.e4aedb119eb73dfee0f2e4299601a3c8.acme.invalid,
dummy"

If there was a conflict in ports a certificate would not be available (none retrieved)

This suggest you are having SSL issues (are these new?)

You can run the webroot option as your HTTP connectivity is fine. This will get you a valid certificate and you can then enable HTTPS in the Apache configs

Andrei


#5

Hi @ahaw021,

thx for your reply and pointing out.
You are right with what you’re saying about the challenge.

Yes, the certificates are new, as the whole VPS server is for me.

  1. I installed mailserver with Snakeoil certificates.
    2 And then I tried Lets Encrypt TLS SNI challenge with certbot --apache several times.
    And I think I even tried webroot challenge at some point.

Always with same error msg. Will try webroot again.
Can’t I simply delete the certificate679cc0abe95d875aa2d4f67927193aa9.e4aedb119eb73dfee0f2e4299601a3c8.acme.invalid, dummy
which is generating the error msg ?


#6

I fixed it with the certbot standalone and manual host config. So it’s perfectly working now :wink:
Thx for your help & all the best from Barcelona,

Michel


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.