Certbot standalone error

Help
#1

Hi, Team
I'm trying to get certifications on my mail server which has no web server.
However, I have gotten following errors.

My domain is "corp-associe.jp"
The full domain name is "mail.corp-associe.jp".

I ran this command: certbot certonly --standalone -d mail.corp-associe.jp -m info@corp-associe.jp --agree-tos -n
*I installed certbot with "dnf install certbot" on CentOS8

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.corp-associe.jp
Waiting for verification...
Challenge failed for domain mail.corp-associe.jp
http-01 challenge for mail.corp-associe.jp
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):No web server
OS: CentOS8

Note: The DNS record of this domain has been registered properly.

Thank you for your supprot.

Regards,

#2

Hi @bravo

checking that url - there answers a webserver.

So you have one - and --standalone may not work.

An Apache answers.

What says

sudo apachectl -S
sudo httpd -S

second, if the first doesn't work.

1 Like
#3

That is contradicted by:

curl -Iki http://mail.corp-associe.jp/
HTTP/1.1 302 Found
Date: Thu, 08 Oct 2020 10:22:11 GMT
Server: Apache/2.4.46 (Unix) OpenSSL/1.1.1c
Location: https://mail.corp-associe.jp/
Content-Type: text/html; charset=iso-8859-1

Are you on the right server?
Please show output of:
curl ifconfig.me

#4

Hi, rg305

Thanks for your quick response. Here is result.
[root@mail usr]# curl ifconfig.me
203.141.138.215[root@mail usr]#

The apache web server is running on separate VM machine.
Or I need to add https://mail.corp-associe.jp URL in httpd-vhost.conf??

Regards,

#5

Hi, JuergenAuer

Thank you for your reply. Actually, there is no web server is running on this mail server.
Both are running separetly. Or I should add https://mail.corp-associe.jp URL in httpd-vhost.conf file on apache web server side?
Here is the result of httpd -V

[root@web1 bin]# ./httpd -S
VirtualHost configuration:
*:80 is a NameVirtualHost
default server www.corp-associe.jp (/usr/local/apache2/conf/extra/httpd-vhosts.conf:23)
port 80 namevhost www.corp-associe.jp (/usr/local/apache2/conf/extra/httpd-vhosts.conf:23)
alias corp-associe.com
port 80 namevhost www.koshirophotography.com (/usr/local/apache2/conf/extra/httpd-vhosts.conf:43)
alias koshirophotography.com
port 80 namevhost blog.koshirophotography.com (/usr/local/apache2/conf/extra/httpd-vhosts.conf:63)
alias blog.koshirophotography.com
port 80 namevhost nightview.koshirophotography.com (/usr/local/apache2/conf/extra/httpd-vhosts.conf:82)
alias nightview.koshirophotography.com
*:443 is a NameVirtualHost
default server www.corp-associe.jp (/usr/local/apache2/conf/extra/httpd-ssl.conf:121)
port 443 namevhost www.corp-associe.jp (/usr/local/apache2/conf/extra/httpd-ssl.conf:121)
port 443 namevhost www.koshirophotography.com (/usr/local/apache2/conf/extra/httpd-ssl.conf:140)
port 443 namevhost blog.koshirophotography.com (/usr/local/apache2/conf/extra/httpd-ssl.conf:159)
port 443 namevhost nightview.koshirophotography.com (/usr/local/apache2/conf/extra/httpd-ssl.conf:178)
ServerRoot: "/usr/local/apache2"
Main DocumentRoot: "/usr/local/apache2/htdocs"
Main ErrorLog: "/usr/local/apache2/logs/error_log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/usr/local/apache2/logs/" mechanism=default
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/usr/local/apache2/logs/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="httpd" id=57
Group: name="httpd" id=57

#6

On what server are you running certbot? You should be running certbot on the exact same server which has the IP address to which the hostname you want the certificate for is pointing to.

Also, your DNS has issues: https://dnsviz.net/d/mail.corp-associe.jp/dnssec/ I didn't get the IP address for the hostname earlier, but after a few tries it worked.. Not very good DNS service if it sometimes does work but other times it doesn't.

But that's not on your mailserver, right? Looking at the web1. Could you try it on the mail host?

Are the web1 and mail hosts behind a common load balancer or something?

#7

Hi, Osiris

I have one static global IP and I'm using NAT to mail and web server.
Now, there is no apache server is running on mail server, so "httpd" command is not possible to execute.

#8

Ah, now we're getting somewhere.

Because you're behind NAT, all the requests for port 80 and port 443 end up on your webserver. Your NAT router doesn't know (or probably can) how to forward the challenge requests by the Let's Encrypt validation server to the mailserver.

I assume you want to keep your webserver to be able to get Let's Encrypt certificates in the future.

What you can do is add a separate virtualhost for the mail subdomain configured as a reverse proxy on your webserver which proxies requests for /.well-known/acme-challenge/ to your mailservers internal IP address.

See for example: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html

1 Like
#9

Hello, thanks for your quick response. So I need to setup one more apache server as reverse proxy?? Or I just need to add mail server URL on apache server which is currently running (web1)?

Regards,

1 Like
#10

Setup one more "site" in /sites-available/ then enable it.
With ServerName mail.corp-associe.jp

I would add that for HTTP authentication you only need to proxy the http://mail.corp-associe.jp/.well-known/acme-challenge/ requests.
You can then ignore/drop/404 all other requests to http://mail.corp-associe.jp/

1 Like
#11

Hello

It works finally!!!! Thank you all!!!!

Regards

2 Likes