Certbot - Extra Domain in VHOST Configs Means Challenges Do Not Pass


#1

Hi,
I have ubuntu 14.0 desktop version which serves as an apache server and already runs two websites on it.

After I choose my vhost certbot fails with an error says there are 3 certs and list a cert for another common name as cpe.huawei.com that is not any of my current domain.

As far I know I cloud not find such vhost on my server, also I cannot find that cert.
I suspect there is unseen cert that could be installed by previous server administrator who cannot contact now.

can anyone help me with installing certbot for my vhost and remove all unseen ssl certs if there is.
I also appreciate if you share a way to re install apache without affecting mysql and vhost.

Thanks.


#2

Hi @fperera123,

This sounds like a case where there is a firewall or router (made by Huawei) in between the Internet and your server, and the firewall is actually terminating incoming TLS sessions and then maybe proxying them. Is this possible? The error that you got is exactly the one that would be expected in this situation. This could be the case if the firewall offers a feature of intercepting Internet traffic in order to scan it for viruses or something.


#3

Thanks for the answer @schoen ,
Yes, it is possible. Since the server is homemade with using a general router.
Could you tell me what kind of configuration should I look for or change?
Because I’m not expert in networking :slight_smile:

Edited:
The router is Huawei E5172 and I checked router config.
There is only one config for HTTPS under Service Access Control (SAC) and it was activated for HTTPS. (When It disable 443 port was closed.)
443 port is listening to the public through my server firewall.
I also wanted to know that could ISP involve in this problem?.
Because someone told me that ISP is hijacking my 443 port.


#4

Your ISP could be responsible, but it seems like a significant coincidence that you have a Huawei router and the certificate of the device that’s interfering with the validation is also from Huawei. This makes me think that your router is more likely to be responsible.

If so, you need to find a way to get your router to forward or pass through port 443 connections without interfering with them at all.


#5

hi @fperera123

There are usually questions when you place a help post about what commands you ran etc, it’s good to fill these out because it helps people understand the context of what you are doing.

Certbot Apache plugin will not try to issue a certificate for a domain if there is not a VHOST configuration for it so I would double your apache configs.

CPE stands for customer premise equipment and I would not be surprised to see this certificate on your router HOWEVER not on your web server. If it is on your web server it would be because someone installed it or configured your web server to have this binding.

Huawei routers cannot configure apache servers and port forwarding is just that - forwarding traffic from the WAN (internet) interface to a LAN (server) interface.

Your fix for this is to use the webroot plugin or to fix the apache configuration so certbot does not try to issue a challenge for the cpe,huawei.com domain (which you will never pass as you do not own that domain). .

Andrei


#6

I don’t believe this is relevant. The error message for a failed TLS-SNI-01 challenge that shows returned certs lists the subject names of the certs that were encountered. It does not even mention what name was requested in the error message.

https://community.letsencrypt.org/search?q=incorrect%20validation%20certificate

So, there’s no reason to think that Certbot is requesting a certificate for cpe.huawei.com, or that Apache is configured with this name in a virtual host.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.