Apache | Installing Problem 443


#8

I have done it with Lets Encrypt…

But is this normal?


#9

You can not use a certificate directly on an IP.
https://37.114.96.47/ will always fail that way.
Use the domain name instead:
https://www.cc-sw.de/

But since you are using CloudFlare, you are probably trying to force the https connection to your server to check if it is actually encrypted.

For that you will have to temporarily force the domain name (www.cc-sw.de) to resolve to your real IP.
You can do that in the HOSTS file.
In windows it can normally be found in the /windows/system32/drivers/etc folder.
In Linux, it is normally the /etc/hosts file.
Simply add an entry:
37.114.96.47 www.cc-sw.de

One final thought, since the site IP also can be resolved by the base domain name (cc-sw.de), you might want to include both names (cc-sw.de, www.cc-sw.de) in the certificate and in your vhost config block.


#10

I have done it for www.cc-sw.de
Where I can add this for cc-sw.de?


#11

Hi,

I’m just curious… why not use both hostnames in one certificate…

Thank you


#12

I have forgot to add it at installig process
Can I add them at later time?


#13

You’d just need to issue a new certificate that includes both of the names you want it to cover - certificates are immutable once issued.


#14

But then I must completly reinstall certbot…

Or what?
Can someone give me instructions


#15

you don’t need to reinstall certbot each time to get a certificate.

Just run sudo certbot -d your domain -d your second hostname -d your third hostname (replace “domain” “x hostname” with your real hostname)

Thank you


#16

certbot -d cc-sw.de -d www.cc-sw.de
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/www.cc-sw.de.conf)

It contains these names: www.cc-sw.de

You requested these names for the new certificate: cc-sw.de, www.cc-sw.de.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

It is saying this!
Can you help?


#17

Please see

This might result in needing to install a new version of Certbot after all, not because you’re obtaining a new certificate, but because of the issue about ACME challenge implementations.


#18

I would try adding:
--preferred-challenges http
or
--preferred-challenges tls-sni


#19

This is not strictly true. Let’s Encrypt does not currently issue certificates for IP addresses, but some CAs do, and it’s a valid type of certificate.

For the purpose of this thread, it’s close enough, but I think it’s important that we be strictly correct here since people come to us for trusted advice. :slight_smile:


#20

I thought that those IP certificates are now only under “private CA” (public not trusted CAs)…

Isn’t issue trusted certificates from public trusted CA a violation of CA policies?


#21

Certificates for private IP addresses like 192.168.x.y were banned; certificates for public IP addresses are allowed, though rare.

The Cloudflare/APNIC DNS service https://[2606:4700:4700::1111]/ aka https://1.1.1.1/ is an example.


#22

Hm

I am a little bit confused

Let´s Enrypt doesn´t support a Ip that´s right or ?


#23

I would do it new…
Have made it clean…
So I have this error

Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.cc-sw.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.cc-sw.de/.well-known/acme-challenge/8kGDbO08LBoxIwB5HaBnEGkrmIMMEjCYHi1bx2BPD-o: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.cc-sw.de
    Type: connection
    Detail: Fetching
    https://www.cc-sw.de/.well-known/acme-challenge/8kGDbO08LBoxIwB5HaBnEGkrmIMMEjCYHi1bx2BPD-o:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I think the Problem is that it not save something in .well-know folder


#24

@Tigerpanzer02, please don’t use the [spoiler] tag for your posts here. It causes them to be obscured by the forum and makes them harder to read.

@jsha, this host is now behind CloudFlare and is trying to do an HTTP-01 validation that gets redirected by CloudFlare to

https://www.cc-sw.de/.well-known/acme-challenge/8kGDbO08LBoxIwB5HaBnEGkrmIMMEjCYHi1bx2BPD-o

which showed “Error getting validation data”. What could cause that now?


#25

Looks like this was a redirect loop.


#26

On my Server there is no data saved in the Folder


#27

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.