Cert Request fails


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: corkynan.com

I ran this command: ```
certbot certonly --standalone --rsa-key-size 4096 -d mail.corkynan.com -d imap.corkynan.com -d smtp.corkynan.com -d cn-mail.corkynan.com


It produced this output: 
Domain: mail.corkynan.com
Type: unauthorized
Detail: Invalid response from http://cn-mail.corkynan.com/.well...

My web server is (include version): Turned off Apache 2 as certbot requested, so native to certbot

The operating system my web server runs on is (include version): Debian 9 (Stretch)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes I have full access to all systems on the network. 

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot): 0.10.2

#2

Additional Information: While the domain corkynan.com is registered and I can update the DNS records, I am using my own root authority domain controller behind a firewall and NAT. While this server can see the outside world, there is no connection at this time between the registered domain and my internal DNS for my local network.

The question is: Is it possible to use Let’s Encrypt in this configuration, where all DNS registrations for the machines are handled locally since there is no direct access from the Internet into the local corkynan.com domain only outgoing connections (i.e., the Internet cannot see my local systems, including the local authoritative DNS?

Thanks


#3

Hi @CAS

if I understand your setup correct, then: No, that can’t work.

If you want a public trustet certificate, Letsencrypt must check your DNS entries:

  • A / AAAA record to find a webserver -> http-01 validation or
  • your TXT entries _acme-challenge… -> dns-01 validation

If you have created TXT entries, they are invisible ( https://check-your-website.server-daten.de/?q=corkynan.com ):

TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
corkynan.com ok 1 0
www.corkynan.com ok 1 0
_acme-challenge.corkynan.com missing entry or wrong length 1 0
_acme-challenge.www.corkynan.com missing entry or wrong length 1 0
_acme-challenge.corkynan.com.corkynan.com perhaps wrong 1 0
_acme-challenge.www.corkynan.com.www.corkynan.com perhaps wrong 1 0

So that can’t work.


#4

All four names return the same IP and site:

The only way to get a cert in such a situation (with a parked domain) is via DNS authentication.

--standalone will spin up a web server; But LE can’t find that web server (only the parked site page).


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.