Certbot uses wrong hostname for ACME challenge, ubuntu 18.04 + apache


#1

So… This is my first time using certbot…
I have just set up a server with ubuntu 18.04 and apache… I am going to run multiple virtual hosts…

So I tried this command to issue a SSL cert for one of the domains (the first one I am trying).
sudo certbot --apache -d teamshipton.dk -d www.teamshipton.dk

Now, for some reason the ACME challenge uses the lan ip, and not teamshipton.dk?? Do you have any idea of what I have done or could be doing wrong?

sudo certbot --apache -d teamshipton.dk -d www.teamshipton.dk
[sudo] password for m_bokk:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for teamshipton.dk
http-01 challenge for www.teamshipton.dk
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.teamshipton.dk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://192.168.0.46/.well-known/acme-challenge/b5wXqoHj5wPf9aDqDsABM1vCrSx7g72Z6d4zifn9SkE: Invalid host in redirect target “192.168.0.46”. Only domain names are supported, not IP addresses, teamshipton.dk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://192.168.0.46/.well-known/acme-challenge/__S-IG_f6uNl-4ND5TdOYFF0b94gQdeUEFp1bWrKAz0: Invalid host in redirect target “192.168.0.46”. Only domain names are supported, not IP addresses

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.teamshipton.dk
    Type: connection
    Detail: Fetching
    https://192.168.0.46/.well-known/acme-challenge/b5wXqoHj5wPf9aDqDsABM1vCrSx7g72Z6d4zifn9SkE:
    Invalid host in redirect target “192.168.0.46”. Only domain names
    are supported, not IP addresses

    Domain: teamshipton.dk
    Type: connection
    Detail: Fetching
    https://192.168.0.46/.well-known/acme-challenge/__S-IG_f6uNl-4ND5TdOYFF0b94gQdeUEFp1bWrKAz0:
    Invalid host in redirect target “192.168.0.46”. Only domain names
    are supported, not IP addresses

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#2

You have a 303 redirection that LE is trying to follow which goes to an private IP (but is unreachable from the Internet and also not supported by LE):

curl -Iki www.teamshipton.dk

HTTP/1.1 303 See Other
Content-Type: text/plain
Connection: close
Date: Sun, 16 Dec 2018 09:15:30 GMT
Location: https://192.168.0.46/
Content-Length: 0


#3

Yeah, just saw that it is apache trying to send me to the local ip adress…

It is my first time using apache on ubuntu…

Soooo I kind of have no clue right now what I have done wrong… installed apache, installed mysql, php… set up the virtual host… and now this…


#4

Hi @mph

checked your site via https://check-your-website.server-daten.de/?q=teamshipton.dk


Domainname Http-Status redirect Sec. G
http://teamshipton.dk/
194.239.204.171 303 https://192.168.0.46/ 0.116 E
http://www.teamshipton.dk/
194.239.204.171 303 https://192.168.0.46/ 0.116 E
https://192.168.0.46/ -14 10.023 T
Timeout - The operation has timed out
https://teamshipton.dk/
194.239.204.171 200 5.936 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://www.teamshipton.dk/
194.239.204.171 200 5.950 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://teamshipton.dk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
194.239.204.171 303 https://192.168.0.46/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.124 E
http://www.teamshipton.dk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
194.239.204.171 303 https://192.168.0.46/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.123 E
https://192.168.0.46/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.030 T
Timeout - The operation has timed out

Your https “is correct”: Means: Your certificate is wrong, but you don’t have a wrong redirect there. Your https sends a 200.

When Letsencrypt validates a file, Letsencrypt follows redirects, but ignores wrong / expired certificates.

So find this wrong redirect to your private ip 192.168.. and change it to a redirect to your https - domain.


#5

I feel like the dummest… right… now…

I entered… the…wrong… ip… on my router… so it redirected to a wrong computer on a wrong network…

All I needed was coffee to see this problem…


#6

:triangular_flag_on_post: How can I get this topic deleted? there are some informations in this, that I dont want to come further out??..


#8

#9

What information? Can it just be edited out?


#10

The first one, starting this topic… there is not editing option for this one…??


#11

Nobody can help in deleting this subject? or how to make a flag to a moderator?

All I can see when trying to delete is this: