Creating a single certificate for 2 different domain

driggsss · March 29, 2023, 3:26am

My domain is: testlinux3.southeastasia.cloudapp.azure.com, testinv3.southeastasia.cloudapp.azure.com

I ran this command: certbot certonly --standalone -d testlinux3.southeastasia.cloudapp.azure.com -d testinv3.southeastasia.cloudapp.azure.com

It produced this output: Challenge failed.

My web server is (include version): N/A

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0-1ubuntu0.1

When I try to create a cert for separate domain, it is working fine.

Bruce5051 · March 29, 2023, 3:38am

Please post the logfile; also you could retry the command with the option --debug to see and share more details.

driggsss · March 29, 2023, 7:13am

Here is where the error occurred.

2023-03-29 07:09:46,741:DEBUG:acme.client:Storing nonce: 15C9_I2NqAga8BfwwZsSR48ULiomZl_XfJM6rj47c0q8Dis
2023-03-29 07:09:46,742:WARNING:certbot.auth_handler:Challenge failed for domain testinv3.southeastasia.cloudapp.azure.com
2023-03-29 07:09:46,742:INFO:certbot.auth_handler:http-01 challenge for testinv3.southeastasia.cloudapp.azure.com
2023-03-29 07:09:46,743:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: testinv3.southeastasia.cloudapp.azure.com
Type:   connection
Detail: 4.193.48.129: Fetching http://testinv3.southeastasia.cloudapp.azure.com/.well-known/acme-challenge/u8US4XJfEcN59yNnpT1ESB4zEQxQbW7_evDOgX5FVbc: Connection refused

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP add>
2023-03-29 07:09:46,743:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

rg305 · March 29, 2023, 8:29am

I see two different IPs:

Name:    testlinux3.southeastasia.cloudapp.azure.com
Address: 4.193.49.99

Name:    testinv3.southeastasia.cloudapp.azure.com
Address: 4.193.48.129

Using --standalone, you can only get a cert for names that resolve to the IP of the server.

driggsss · March 29, 2023, 8:50am

Oh I see. Is there any other workaround so I can create a single cert for 2 domain?

rg305 · March 29, 2023, 9:04am

Yes; When using DNS-01 authentication one can get a cert for any domain name(s) under their control.
[up to 100 entries per cert (when using LE certificates)]

That said, how would you use the cert for a name that doesn't resolve to the local server IP?
I mean if you have two servers, then there needs to be two certs anyway.
Yes, you can create one cert with both names on it.
But then you would have to create some way of sharing that cert between them.
[overcomplicating a very simple process]

I would suggest that you keep things as simple as possible and treat each system independently.

Osiris · March 29, 2023, 10:23am

How did you get both certificates separately in the first place? Also on separate servers, as the IP addresses differ? Or are both IP addresses from the same server?

driggsss · March 29, 2023, 10:35am

I used the --standalone. Yes the IP Addresses differ across the 2 VMs.

MikeMcQ · March 29, 2023, 11:44am

Could you temporarily point the DNS for the second one to the IP where --standalone is running? Then, change the IP back after getting the cert.

I see the domain names have "test" in them so I thought this might work.

You don't have to wait for propagation because Let's Encrypt servers use the authoritive DNS name servers to determine the IP. The changed IP just has to sync between all the auth DNS servers which usually is very fast.

Osiris · March 29, 2023, 12:04pm

You could also make a single specific host responsible for the certificates and redirect requests for the path /.well-known/acme-challenge/ to that specific host.

You'd need to securely transfer the certificate on that host to the other host(s) obviously afterwards.

rg305 · March 29, 2023, 4:40pm

I must ask:
Why do you need one cert with two names [that don't both resolve to the local IP]?

system · April 28, 2023, 4:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.