Certbot created certificate for www but giving urn:acme:error:unauthorized for subdomain

Not able to create a certificate for a subdomain - turistavip.hiptraveler.com

My domain is: hiptraveler.com. Https enabled on www.hiptraveler.com

I ran this command: I tried --expand to include turistavip.hiptraveler.com to existing certificate and also, sudo certbot --apache -d turistavip.hiptraveler.com - to create a new certificate for turistavip

Both the options produced the same output:

Performing the following challenges:
http-01 challenge for turistavip.hiptraveler.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. turistavip.hiptraveler.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://turistavip.hiptraveler.com/.well-known/acme-challenge/ivhF6MKhEIDaIVmXFcc8wuxE7oEf1UxugNBfbrJcmgE: “Apache Tomcat/7.0.52 (Ubuntu) - Error report<!–H1 {font-family:Tahoma,Arial,sans-serif;color:”


My web server is (include version): Apache/2.4.7 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 14.04

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Certbot tries to place a challenge file at /.well-known/acme-challenge/ in your domain. Can you figure out where the document root for this domain (turistavip.hiptraveler.com) actually is in the file system?

Thank you for your reply. www.hiptraveler.com and turistavip.hiptraveler.com both point to same server and IP. And /.well-known/acme-challenge/ was created in /var/lib/tomcat7/webapps/ROOT/ folder. but then new code deployment removed that folder.
https still works for www even though there’s no /.well-known/acme-challenge/ in ROOT now. But it won’t work for turistavip.

My guess is that the port 443 is already enabled for https and so for some reason acme challenge is not able to reach and create this folder for turistavip on http.

Does this work any better?

sudo certbot -a webroot -i apache -w /var/lib/tomcat7/webapps/ROOT -d turistavip.hiptraveler.com

This did work but it ended up modifying - “SSLCertificateFile /etc/letsencrypt/live/www.hiptraveler.com/cert.pem” to “SSLCertificateFile /etc/letsencrypt/live/turistavip.hiptraveler.com/cert.pem” in 000-default-le-ssl.conf which caused errors for www.hiptraveler.com when accessing on https.
Can I create another 000-default-le-ssl.conf with a different name for turistavip.hiptraveler.com with “SSLCertificateFile /etc/letsencrypt/live/turistavip.hiptraveler.com/cert.pem” values?

https://www.ssllabs.com/ssltest/analyze.html?d=turistavip.hiptraveler.com - gives Certificate name mismatch cos it can not find the /etc/letsencrypt/live/turistavip.hiptraveler.com/ files in any .conf file.

Do you have a separate VirtualHost in Apache for turistavip.hiptraveler.com? Or do both that and www.hiptraveler.com share one VirtualHost and Tomcat/the application deals with difference?

No it’s the same VirtualHost for both. Application deals with the difference. I tried creating two VirtualHost *:443 for both by following this blog - https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm but no luck.

Then you just have to create a certificate with both names (hiptravaler.com, turistavip.hiptraveler.com) in it. You can specify the names with -d, I would recomment listing certificates first:

certbot certificates

Then decide (based on your current configuration) where to add the extra domain.

1 Like

Now it worked. I was able to add both domains in one certificate.
Thank you so much.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.