Cerbot one webroot for different domains and subdomains


#1

Hello hope to receive help here.

I have a shopware installation which allows to create ecommerce shops and subshops with different domains
and subdomains but haveing only one webroot.

Appart of that I have few wordpress pages with valid ssl certificate.

My problem is as follows:

1st SSL certificate for “mydomain.com” was created without problems.

2nd certificate for subdomain “sub.mydomain.com” cannot be created


    The following errors were reported by the server:

   Domain: sub.mydomain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://sub.mydomain.com/.well-known/acme-challenge/lyIcfvGX1H7iheQCNzIL6o4M_5yawFs8s2MT6Dx3A:
   "<!DOCTYPE html>
   <html class="no-js" lang="de" itemscope="itemscope"
   itemtype="http://schema.org/WebPage">
   <head>
   <meta charset=""

   Domain: www.sub.mydomain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.sub.mydomain.com/.well-known/acme-challenge/XxRJ8F2-lcHKb7C8ELKOvMWt2Ct5gSkVxBBXd8:
   "<!DOCTYPE html>
   <html class="no-js" lang="de" itemscope="itemscope"
   itemtype="http://schema.org/WebPage">
   <head>
   <meta charset=""

I have read here about similar problem but only with subdomain
but I do not know if I can use it for my instalattion of different domains and subdomains on the same webroot.

Apache code:

<IfModule alias_module>
 Alias /.well-known/acme-challenge/ /common/path/for/all/challenges/
</IfModule>

NGINX code

location ^~ /.well-known/acme-challenge/ {
 allow all;
 alias /common/path/for/all/challenges/;
}

I have both running nginx before apache

Thanks for replies and suggestions


#2

Hi @sergej1

what’s your domain name? Which command did you used? What’s the complete log? There is no reason found.

What’s the complete content of

/var/log/letsencrypt/letsencrypt.log

#3

Hi Juergen,

Thank you for fast reply.

both domains (mydomain.com and sub.mydomain.com) are in the same webroot and are both
reacheable over the browser. mydomain.com over https: and sub.mydomain.com over http:

command

certbot certonly --standalone --preferred-challenges http \

--http-01-port 888 -d sub.mydomain.com -d www.sub.mydomain.com \

(mydomain) was replaced with the real domain name.

letsencypt.log

2018-08-18 10:48:41,666:DEBUG:certbot.main:certbot version: 0.26.1
2018-08-18 10:48:41,666:DEBUG:certbot.main:Arguments: ['--standalone', '--preferred-challenges', 'http', '--http-01-port', '888', '-d', 'sub.mydomain.com', '-d', 'www.sub.mydomain.com']
2018-08-18 10:48:41,666:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-08-18 10:48:41,690:DEBUG:certbot.log:Root logging level set at 20
2018-08-18 10:48:41,691:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-08-18 10:48:41,694:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2018-08-18 10:48:41,780:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7fbc04df4c10>
Prep: True
2018-08-18 10:48:41,780:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7fbc04df4c10> and installer None
2018-08-18 10:48:41,781:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2018-08-18 10:48:41,837:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=u'valid', terms_of_service_agreed=None, agreement=u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', only_return_existing=None, contact=(u'mailto:sw@sarmaxx.de',), key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fbc07bd59d0>)>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/38270158', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), 2844170529722d9aa9fcd33fb4e7ef21, Meta(creation_host=u'myrealhost.net', creation_dt=datetime.datetime(2018, 7, 13, 12, 37, 47, tzinfo=<UTC>)))>
2018-08-18 10:48:41,838:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-08-18 10:48:41,844:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2018-08-18 10:48:42,086:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 658
2018-08-18 10:48:42,088:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
expires: Sat, 18 Aug 2018 08:48:42 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Sat, 18 Aug 2018 08:48:42 GMT
x-frame-options: DENY
content-type: application/json

{
  "2layDnUF3X8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2018-08-18 10:48:42,124:INFO:certbot.main:Obtaining a new certificate
2018-08-18 10:48:42,185:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0009_key-certbot.pem
2018-08-18 10:48:42,187:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0009_csr-certbot.pem
2018-08-18 10:48:42,188:DEBUG:acme.client:Requesting fresh nonce
2018-08-18 10:48:42,188:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-order.
2018-08-18 10:48:42,370:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-order HTTP/1.1" 405 0
2018-08-18 10:48:42,371:DEBUG:acme.client:Received response:
HTTP 405
content-length: 103
pragma: no-cache
expires: Sat, 18 Aug 2018 08:48:42 GMT
server: nginx
connection: keep-alive
allow: POST
cache-control: max-age=0, no-cache, no-store
date: Sat, 18 Aug 2018 08:48:42 GMT
content-type: application/problem+json
replay-nonce: 8FbwweRkLvTANe-CjKrunKGmSq4B2KOGalbJCjI9GF4


2018-08-18 10:48:42,371:DEBUG:acme.client:Storing nonce: 8FbwweRkLvTANe-CjKrunKGmSq4B2KOGalbJCjI9GF4
2018-08-18 10:48:42,372:DEBUG:acme.client:JWS payload:
{
  "status": "pending", 
  "identifiers": [
    {
      "type": "dns", 
      "value": "sub.mydomain.com"
    }, 
    {
      "type": "dns", 
      "value": "www.sub.mydomain.com"
    }
  ], 
  "resource": "new-order"
}
2018-08-18 10:48:42,375:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJub25jZSI6ICI4RmJ3d2VSa0x2VEFOZS1DaktydW5LR21TcTRCMktPR2FsYkpDakk5R0Y0IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDEuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy8zODI3MDE1OCIsICJhbGciOiAiUlMyNTYifQ", 
  "payload": "ewogICJzdGF0dXMiOiAicGVuZGluZyIsIAogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJjYXQuc2FybWF4eC1zaG9wLmV1IgogICAgfSwgCiAgICB7CiAgICAgICJ0eXBlIjogImRucyIsIAogICAgICAidmFsdWUiOiAid3d3LmNhdC5zYXJtYXh4LXNob3AuZXUiCiAgICB9CiAgXSwgCiAgInJlc291cmNlIjogIm5ldy1vcmRlciIKfQ", 
  "signature": "MBHc4dQolauGGLAlZ_ISl3kz32HUCxx8JgO0xPzTpWon38CosFYZFBlUGCJvPddjq0dAye2WSAmMtla-fk17f0v-oNDWiifFdS0N8DziDgai85zPfwlxRAAEYxHkHlv-xyJUF2W6ENrNt-Sc_q9u4axlcynYpwBNA7ulmEHI0eQgPi0CD4G5ufho7-yq0bJXveNnwrVEsQ_XJJ5Jg3GWoKqS_dRmqr625z6AGk8a83SAZKnOX62RqswZo6LTCXQ2ZdaigAxia0_MxDnXQYOuhHY-GrGTaMRJ17Kg_qkvYzldiSnIuWO-n8nOb2p6yCNrDKAIduG3tn00364riopM3Q"
}
2018-08-18 10:48:42,588:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-order HTTP/1.1" 201 550
2018-08-18 10:48:42,589:DEBUG:acme.client:Received response:
HTTP 201
content-length: 550
expires: Sat, 18 Aug 2018 08:48:42 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
location: https://acme-v02.api.letsencrypt.org/acme/order/38270158/41269708
pragma: no-cache
boulder-requester: 38270158
date: Sat, 18 Aug 2018 08:48:42 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: FWCry-B3Na84oBQgjpD3fjU8bsonCuCp_NxRqx89FD0

{
  "status": "pending",
  "expires": "2018-08-25T08:48:42.46999164Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "sub.mydomain.com"
    },
    {
      "type": "dns",
      "value": "www.sub.mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc",
    "https://acme-v02.api.letsencrypt.org/acme/authz/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/38270158/41269708"
}
2018-08-18 10:48:42,589:DEBUG:acme.client:Storing nonce: FWCry-B3Na84oBQgjpD3fjU8bsonCuCp_NxRqx89FD0
2018-08-18 10:48:42,589:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc.
2018-08-18 10:48:42,774:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc HTTP/1.1" 200 911
2018-08-18 10:48:42,775:DEBUG:acme.client:Received response:
HTTP 200
content-length: 911
expires: Sat, 18 Aug 2018 08:48:42 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Sat, 18 Aug 2018 08:48:42 GMT
x-frame-options: DENY
content-type: application/json

{
  "identifier": {
    "type": "dns",
    "value": "sub.mydomain.com"
  },
  "status": "pending",
  "expires": "2018-08-25T08:48:42Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc/6575298707",
      "token": "ObNfi8fqVUxpbxjTgoKtQqZiMcnd_z2Dn1uFXOd-c5c"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc/6575298708",
      "token": "9H3Opp5tpJsZGbY2kbmi3PBu7QIsd2pS9HRk5uwsUM8"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc/6575298709",
      "token": "mmS6lGLx74d3IZewbTQNFUHiptIFZ2_qv0PbsO52d58"
    }
  ]
}
2018-08-18 10:48:42,776:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc.
2018-08-18 10:48:42,964:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc HTTP/1.1" 200 915
2018-08-18 10:48:42,965:DEBUG:acme.client:Received response:
HTTP 200
content-length: 915
expires: Sat, 18 Aug 2018 08:48:42 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Sat, 18 Aug 2018 08:48:42 GMT
x-frame-options: DENY
content-type: application/json

{
  "identifier": {
    "type": "dns",
    "value": "www.sub.mydomain.com"
  },
  "status": "pending",
  "expires": "2018-08-25T08:48:42Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc/6575298710",
      "token": "vtmVo1fyZExTVggX4lNlgsfUm5aVhnBmlbDo_NbKMKk"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc/6575298711",
      "token": "3P_U8gPJqa0f1teo3xYIIKy6c5UJ-6r0iAS80sU8JUw"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc/6575298712",
      "token": "CvgDKSFZQR7FPB3XO-08EruwnyF5-XtsRuWCQ3un288"
    }
  ]
}
2018-08-18 10:48:42,966:INFO:certbot.auth_handler:Performing the following challenges:
2018-08-18 10:48:42,966:INFO:certbot.auth_handler:http-01 challenge for sub.mydomain.com
2018-08-18 10:48:42,967:INFO:certbot.auth_handler:http-01 challenge for www.sub.mydomain.com
2018-08-18 10:48:42,967:DEBUG:acme.standalone:Successfully bound to :888 using IPv6
2018-08-18 10:48:42,967:DEBUG:acme.standalone:Certbot wasn't able to bind to :888 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
2018-08-18 10:48:42,977:INFO:certbot.auth_handler:Waiting for verification...
2018-08-18 10:48:42,978:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "ObNfi8fqVUxpbxjTgoKtQqZiMcnd_z2Dn1uFXOd-c5c.0sbx8Zm9hGzsFJ7NRJjOumGrkulpfEuD7U97BCtyhRQ", 
  "type": "http-01", 
  "resource": "challenge"
}
2018-08-18 10:48:42,980:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc/6575298707:
{
  "protected": "eyJub25jZSI6ICJGV0NyeS1CM05hODRvQlFnanBEM2ZqVThic29uQ3VDcF9OeFJxeDg5RkQwIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2Uvblh3cEY3Ums2MnlwX2JDZDFqb1REMGpGWjJ5YnRla1gzdHBrZmhsMWpDYy82NTc1Mjk4NzA3IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvMzgyNzAxNTgiLCAiYWxnIjogIlJTMjU2In0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIk9iTmZpOGZxVlV4cGJ4alRnb0t0UXFaaU1jbmRfejJEbjF1RlhPZC1jNWMuMHNieDhabTloR3pzRko3TlJKak91bUdya3VscGZFdUQ3VTk3QkN0eWhSUSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "SCor3McpVQDafZRLAop9IQ1pOdg7JioMCJx0JEV3-HpBLrN1EvM_nLa-KNohlyLj0bHfIMFPbi2BOzOhhCDYeYympM32-Z5sHQaAqlUpsSWRLxb2OT1JWQ6W8JSQqbVrYG7vR7yMc9bmzF54wRFEFfcxlVrBETHc0Iz9cc4YbgnuWEkTfMQ0fLsb4_7ScLbholxeydkXti20AR0FC7aabre9r6btqGLWtk6210gRSFGH1ml5SokCZsQj3upfw6LYCLD3dzmQMebaXntPYML8RadZ_Yh469QVFiwuwutladVnprf1Jx4OCzGzA3RjZxAdlT6WnTcC0xBVKHi7ojuM_g"
}
2018-08-18 10:48:43,180:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc/6575298707 HTTP/1.1" 200 223
2018-08-18 10:48:43,181:DEBUG:acme.client:Received response:
HTTP 200
content-length: 223
expires: Sat, 18 Aug 2018 08:48:43 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/acme/authz/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/challenge/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc/6575298707
pragma: no-cache
boulder-requester: 38270158
date: Sat, 18 Aug 2018 08:48:43 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: GhABXEtwelbhXcuIrrFi6Hl03QQ10vKBH6gqs-SGmVA

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc/6575298707",
  "token": "ObNfi8fqVUxpbxjTgoKtQqZiMcnd_z2Dn1uFXOd-c5c"
}
2018-08-18 10:48:43,181:DEBUG:acme.client:Storing nonce: GhABXEtwelbhXcuIrrFi6Hl03QQ10vKBH6gqs-SGmVA
2018-08-18 10:48:43,182:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "vtmVo1fyZExTVggX4lNlgsfUm5aVhnBmlbDo_NbKMKk.0sbx8Zm9hGzsFJ7NRJjOumGrkulpfEuD7U97BCtyhRQ", 
  "type": "http-01", 
  "resource": "challenge"
}
2018-08-18 10:48:43,183:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc/6575298710:
{
  "protected": "eyJub25jZSI6ICJHaEFCWEV0d2VsYmhYY3VJcnJGaTZIbDAzUVExMHZLQkg2Z3FzLVNHbVZBIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvRVZxY1pDZUpELVNUdmZHaWJzRzRpYWgxUlNlX0JSMWRHWDBsaHJvQkhoYy82NTc1Mjk4NzEwIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvMzgyNzAxNTgiLCAiYWxnIjogIlJTMjU2In0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogInZ0bVZvMWZ5WkV4VFZnZ1g0bE5sZ3NmVW01YVZobkJtbGJEb19OYktNS2suMHNieDhabTloR3pzRko3TlJKak91bUdya3VscGZFdUQ3VTk3QkN0eWhSUSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "Dx2_oyk4CC7Y-brwkcCOJ1U2LMguv53Zf3_0FZM9d3QGBAiR7gSwoJO6C2JaIQKrG6HoinH34cbl9WXII1vQQ89MZbkiBI4v55svaYrfzfdEX1hgKzvF9Pzoj6g6LUQJ28DVffs_BI0pHAgWKyiQzpWkqCOhbUFvaLGfHYI30pKP6ixxVIcmeZMw8k4-9OtlGY03q0AWrQPOR-loGsDvCmFat5g5lSe_lvQGYqGjRW6ruwFmqQx23ReSxq6r4FsaNB_NyqHVs5tFw4tU3IISaXgPZN30JHZJZAmrNYNcnfpoq_AUtDSAZ7-EYZm38D1-y3CbTDAYb7BVNeyRq356XQ"
}
2018-08-18 10:48:43,384:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc/6575298710 HTTP/1.1" 200 223
2018-08-18 10:48:43,385:DEBUG:acme.client:Received response:
HTTP 200
content-length: 223
expires: Sat, 18 Aug 2018 08:48:43 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/acme/authz/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/challenge/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc/6575298710
pragma: no-cache
boulder-requester: 38270158
date: Sat, 18 Aug 2018 08:48:43 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: wXKKAaKQPai2mqBEgcXV5GFRoGoQGbtq55wRmnNFY-Q

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc/6575298710",
  "token": "vtmVo1fyZExTVggX4lNlgsfUm5aVhnBmlbDo_NbKMKk"
}
2018-08-18 10:48:43,385:DEBUG:acme.client:Storing nonce: wXKKAaKQPai2mqBEgcXV5GFRoGoQGbtq55wRmnNFY-Q
2018-08-18 10:48:46,389:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc.
2018-08-18 10:48:46,574:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc HTTP/1.1" 200 1702
2018-08-18 10:48:46,575:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1702
expires: Sat, 18 Aug 2018 08:48:46 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Sat, 18 Aug 2018 08:48:46 GMT
x-frame-options: DENY
content-type: application/json

{
  "identifier": {
    "type": "dns",
    "value": "sub.mydomain.com"
  },
  "status": "invalid",
  "expires": "2018-08-25T08:48:42Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://sub.mydomain.com/.well-known/acme-challenge/ObNfi8fqVUxpbxjTgoKtQqZiMcnd_z2Dn1uFXOd-c5c: \"\u003c!DOCTYPE html\u003e\n\u003chtml class=\"no-js\" lang=\"en-GB\" itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"\u003e\n\u003chead\u003e\n\u003cmeta charse\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc/6575298707",
      "token": "ObNfi8fqVUxpbxjTgoKtQqZiMcnd_z2Dn1uFXOd-c5c",
      "validationRecord": [
        {
          "url": "http://sub.mydomain.com/.well-known/acme-challenge/ObNfi8fqVUxpbxjTgoKtQqZiMcnd_z2Dn1uFXOd-c5c",
          "hostname": "sub.mydomain.com",
          "port": "80",
          "addressesResolved": [
            "111.222.333.111"
          ],
          "addressUsed": "111.222.333.111"
        }
      ]
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc/6575298708",
      "token": "9H3Opp5tpJsZGbY2kbmi3PBu7QIsd2pS9HRk5uwsUM8"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc/6575298709",
      "token": "mmS6lGLx74d3IZewbTQNFUHiptIFZ2_qv0PbsO52d58"
    }
  ]
}
2018-08-18 10:48:46,576:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc.
2018-08-18 10:48:46,764:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc HTTP/1.1" 200 2040
2018-08-18 10:48:46,764:DEBUG:acme.client:Received response:
HTTP 200
content-length: 2040
expires: Sat, 18 Aug 2018 08:48:46 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Sat, 18 Aug 2018 08:48:46 GMT
x-frame-options: DENY
content-type: application/json

{
  "identifier": {
    "type": "dns",
    "value": "www.sub.mydomain.com"
  },
  "status": "invalid",
  "expires": "2018-08-25T08:48:42Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://www.sub.mydomain.com/.well-known/acme-challenge/vtmVo1fyZExTVggX4lNlgsfUm5aVhnBmlbDo_NbKMKk: \"\u003c!DOCTYPE html\u003e\n\u003chtml class=\"no-js\" lang=\"de\" itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"\u003e\n\u003chead\u003e\n\u003cmeta charset=\"\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc/6575298710",
      "token": "vtmVo1fyZExTVggX4lNlgsfUm5aVhnBmlbDo_NbKMKk",
      "validationRecord": [
        {
          "url": "http://www.sub.mydomain.com/.well-known/acme-challenge/vtmVo1fyZExTVggX4lNlgsfUm5aVhnBmlbDo_NbKMKk",
          "hostname": "www.sub.mydomain.com",
          "port": "80",
          "addressesResolved": [
            "111.222.333.111"
          ],
          "addressUsed": "111.222.333.111"
        },
        {
          "url": "https://mydomain.com/.well-known/acme-challenge/vtmVo1fyZExTVggX4lNlgsfUm5aVhnBmlbDo_NbKMKk",
          "hostname": "mydomain.com",
          "port": "443",
          "addressesResolved": [
            "111.222.333.111"
          ],
          "addressUsed": "111.222.333.111"
        }
      ]
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc/6575298711",
      "token": "3P_U8gPJqa0f1teo3xYIIKy6c5UJ-6r0iAS80sU8JUw"
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/EVqcZCeJD-STvfGibsG4iah1RSe_BR1dGX0lhroBHhc/6575298712",
      "token": "CvgDKSFZQR7FPB3XO-08EruwnyF5-XtsRuWCQ3un288"
    }
  ]
}
2018-08-18 10:48:46,766:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.sub.mydomain.com
Type:   unauthorized
Detail: Invalid response from http://www.sub.mydomain.com/.well-known/acme-challenge/vtmVo1fyZExTVggX4lNlgsfUm5aVhnBmlbDo_NbKMKk: "<!DOCTYPE html>
<html class="no-js" lang="de" itemscope="itemscope" itemtype="http://schema.org/WebPage">
<head>
<meta charset=""

Domain: sub.mydomain.com
Type:   unauthorized
Detail: Invalid response from http://sub.mydomain.com/.well-known/acme-challenge/ObNfi8fqVUxpbxjTgoKtQqZiMcnd_z2Dn1uFXOd-c5c: "<!DOCTYPE html>
<html class="no-js" lang="en-GB" itemscope="itemscope" itemtype="http://schema.org/WebPage">
<head>
<meta charse"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2018-08-18 10:48:46,767:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. www.sub.mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.sub.mydomain.com/.well-known/acme-challenge/vtmVo1fyZExTVggX4lNlgsfUm5aVhnBmlbDo_NbKMKk: "<!DOCTYPE html>
<html class="no-js" lang="de" itemscope="itemscope" itemtype="http://schema.org/WebPage">
<head>
<meta charset="", sub.mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sub.mydomain.com/.well-known/acme-challenge/ObNfi8fqVUxpbxjTgoKtQqZiMcnd_z2Dn1uFXOd-c5c: "<!DOCTYPE html>
<html class="no-js" lang="en-GB" itemscope="itemscope" itemtype="http://schema.org/WebPage">
<head>
<meta charse"

2018-08-18 10:48:46,767:DEBUG:certbot.error_handler:Calling registered functions
2018-08-18 10:48:46,767:INFO:certbot.auth_handler:Cleaning up challenges
2018-08-18 10:48:46,768:DEBUG:certbot.plugins.standalone:Stopping server at :::888...
2018-08-18 10:48:46,976:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1254, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. www.sub.mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.sub.mydomain.com/.well-known/acme-challenge/vtmVo1fyZExTVggX4lNlgsfUm5aVhnBmlbDo_NbKMKk: "<!DOCTYPE html>
<html class="no-js" lang="de" itemscope="itemscope" itemtype="http://schema.org/WebPage">
<head>
<meta charset="", sub.mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sub.mydomain.com/.well-known/acme-challenge/ObNfi8fqVUxpbxjTgoKtQqZiMcnd_z2Dn1uFXOd-c5c: "<!DOCTYPE html>
<html class="no-js" lang="en-GB" itemscope="itemscope" itemtype="http://schema.org/WebPage">
<head>
<meta charse"

in the line 378 of letsencypt.log it as (Invalid response http://www.sub.mydomain.com/.well-known/acme-challenge/).
As I understood because in the webroot already mydomain.com is located?


#4

Normally, standalone should work - with www.sarmaxx-shop.eu and with cat.sarmaxx-shop.eu

So if it doesn’t work: Why do you have nginx and apache? Nginx as reverse proxy, Apache as webserver?

But if your nginx redirects /.well-known/acme-challenge/ and Certbot creates a new Apache, then the file in this apache can’t be found.

So remove both redirects.

https://acme-v02.api.letsencrypt.org/acme/authz/nXwpF7Rk62yp_bCd1joTD0jFZ2ybtekX3tpkfhl1jCc

“Invalid response from http://cat.sarmaxx-shop.eu/.well-known/acme-challenge/ObNfi8fqVUxpbxjTgoKtQqZiMcnd_z2Dn1uFXOd-c5c: “<!DOCTYPE html>\n<html class=“no-js” lang=“en-GB” itemscope=“itemscope” itemtype=“http://schema.org/WebPage”>\n<head>\n<meta charse””

Is this content created from Apache or from nginx? Testing that I get a 404, but no headers.

Testing

D:>download http://cat.sarmaxx-shop.eu/ -h
Connection: keep-alive
Vary: Accept-Encoding,Accept-Encoding
x-content-digest: en4dbcbf9c1329a238c27edccbb7cf3e9d5493302f2cd35c69ead7a4426d4b6127
Age: 110
X-Frame-Options: SAMEORIGIN
X-Proxy-Cache: MISS
X-Cache-Date: Sat, 18 Aug 2018 10:15:33 GMT
Content-Length: 19523
Cache-Control: no-cache, private
Content-Type: text/html; charset=UTF-8
Date: Sat, 18 Aug 2018 10:15:33 GMT
Server: nginx

Status: 200 OK

there nginx sends the header.


#5

thank you for reply. Nginx is a proxy before Apache.

I do not have this entry (/.well-known/acme-challenge…) either in nginx or in apache, I have only copy it in my post asking if it would help if I would include it in my configuration. I have tried to include (/.well-known/acme-challenge…) in nginx and after in apache configuration just few minutes before your reply (probably at the time you have tested it) and it has not helped, so I have remove it again.

NGINX code

location ^~ /.well-known/acme-challenge/ {
 allow all;
 alias /common/path/for/all/challenges/;
}

There is no redirect now or do you mean something els by redirect?
not the code here under?

location ^~ /.well-known/acme-challenge/ {
 allow all;
 alias /common/path/for/all/challenges/;
}

#6

If your nginx sends GET-requests to /common/path/for/all/challenges/ but Certbot creates an Apache and stores the file under /.well-known/acme-challenge/1234, that can’t work.

If you have already a running webserver, the --webroot uses this webserver. So I would test

certbot certonly --test-cert --webroot -w "/YourRealApacheWebroot" -d "your cat - domain and www.cat"

First, place a file 123456789 under /YourRealApacheWebroot/.well-known/acme-challenge/ and test (per browser), if you can open it:

http://cat.sarmaxx-shop.eu/.well-known/acme-challenge/123456789

same with www.cat…


#7

Thank you for reply

There is no entry regarding /.well-known/acme-challenge/ in nginx or apache configuration.

File 123456789 can be openened as http://cat and as http://www.cat

after 10minutes I have canceled following command as there was nothing showed.

certbot certonly --test-cert --webroot -w  /var/www/html/123 -d cat.sarmaxx-shop.eu -d www.cat.sarmaxx-shop.eu \

Outcome of letsencrypt.log

2018-08-18 14:03:33,416:DEBUG:certbot.main:certbot version: 0.26.1
2018-08-18 14:03:33,416:DEBUG:certbot.main:Arguments: ['--test-cert', '--webroot', '-w', '/var/www/html/123', '-d', 'cat.sarmaxx-shop.eu', '-d', 'www.cat.sarmaxx-shop.eu']
2018-08-18 14:03:33,416:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-08-18 14:03:33,452:DEBUG:certbot.log:Root logging level set at 20
2018-08-18 14:03:33,452:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-08-18 14:03:33,454:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-08-18 14:03:33,455:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f58385d5c90>
Prep: True
2018-08-18 14:03:33,455:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f58385d5c90> and installer None
2018-08-18 14:03:33,455:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2018-08-18 14:03:37,282:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1238, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 641, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 517, in _determine_account
    config.email = display_ops.get_email()
  File "/usr/lib/python2.7/site-packages/certbot/display/ops.py", line 59, in get_email
    "An e-mail address or "
Error: An e-mail address or --register-unsafely-without-email must be provided.

#8

There is your error:

Looks like you don’t have an account at the staging system.

Then certbot waits …


#9

thank you, that’s strange I was installing cerbot 5-6 weeks ago and I think a saved email there, as well other ssl certificates were given by that time.

I dont want to reinstall everything, do you know if there is a way to add email address?


#10

You don’t need reinstall something.

-m EMAIL

There are different accounts on the stage and productive system. If you have a productive account, that doesn’t mean you have a stage-account.


#11

thank you, so staging account is here just needed to execute (test) ?

Sorry I am not familiar what that.
If its just to test than it should not be the error for productive system to get a certificate?
I mean this is not the error for following command?


#12

The testsystem uses the same validations as the productive system. So if you can create a testcertificate, it should also work to create a productive certificate.

But there are limits. If you hit a limit, you have to wait. But the test system has own limits and they are higher.

Your command with -standalone does not work. But it’s unclear, why. You had created one certificate with 16 domain names.

https://transparencyreport.google.com/https/certificates/o4B%2FwfL%2ByB8B8fYOJEQ4DhTSi8A2Ho4cPU%2BrY10ZRPo%3D

Names - www.cat.sarmaxx.de - www.ce.sarmaxx.de - created 2018-07-13.

Then a certificate with two names shouldn’t be so complicated. But if it is -->> there must be something buggy. Perhaps changed between 2018-07-13 and today.


#13

You mention webroot authentication in your subject, but you are trying to use standalone authentication.

Your nginx configuration is almost correctly set up to unify multiple domains under one challenge directory:

But you cannot use alias here, you have to use root, because certbot always adds the .well-known/acme-challenge path to the webroot you give it. So, instead use:

location ^~ /.well-known/acme-challenge/ {
  allow all; 
  root /common/path/for/all/challenges/; 
}

And then the correct certbot command to use with this nginx configuration is something like:

certbot certonly --webroot -w /path/to/common/path/for/all/challenges -d sub1.example.com,www.sub1.example.com 

If you really want to use standalone authentication with the command you used:

It would require a nginx configuration like:

location ^~ /.well-known/acme-challenge/ {
  proxy_pass http://127.0.0.1:888;
}

#14

Hello Patches,

Many thanks for reply, that has worked!


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.