Certificat renewal issues - received 2 certificates, first had names 192.168.1.1, skipping


#1

My domain is: avima.pl

I ran this command: ./certbot renew

It produced this output: 2017-04-16 11:40:23,106:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/avima.pl.conf produced an unexpected error: Failed authorization procedure. avima.pl (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested db0f72c1efa81c80b779f47cfc964c19.b8db56e8b9ded800119b6257ad0d65a6.acme.invalid from 87.205.15.242:443. Received 2 certificate(s), first certificate had names “192.168.1.1”. Skipping.

My operating system is (include version): Debian

My web server is (include version): lighttpd/nginx

My hosting provider, if applicable, is: selfhosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Essentially, i’m using a docker-mailserver (https://github.com/tomav/docker-mailserver) and configured let’s encrypt certificate to use with it, as described on their wiki. I believe i used a stock nginx config to get the cert in the first place. My regular webserver is lighttpd. Certificate expired not so long ago and ever since i can’t renew it. I have no idea where 192.168.1.1 came from as well since my internal network IPs are and always have been 192.168.0.x.


#2

Hello @arcaine2,

Maybe the problem is that you are not redirecting the port 443 from your router to your machine, I’m saying it because when you try to reach https://avima.pl it goes to a login page for NETIASPOT, I think Netia is an ISP… and yes, the default certificate served by this page is a SelfSigned certificate issued by Jungo CA and the CN (Common Name) is the ip 192.168.1.1. You should double check how is configured your router and if the router is not the problem you should check what is serving the contents on port 443.

Cheers,
sahsanu


#3

You might be right. In fact, when i set the certificate i didn’t have SSL at all so it passed for the first time. I do use let’s encrypt certificate for mail server only and i never actually set it for web server nor i redirected that port to server behind router. I’ll try that on tuesday (since i can’t access router from outside the network and that netiaspot page shouldn’t be accessible via https either) but this could be the solution. Thanks for the tip.

// Update: i review router configuration and forwarding 443 is not enough here. That login page on HTTPS is, by default, used by ISP for remote access and i, with admin access on router can’t turn it off or move to another port. At this point, it’s up to ISP to switch remote access to different port so i can use 443 the way i need.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.