Difficuty creating certs for domain aliases

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ytc1-cloud.dyndns.org ytc1.dyndns.org
I ran this command:
./acme.sh --issue -d ytc1.dyndns.org --use-wget --test --apache --accountconf ${PWD}/account.conf

It produced this output:
[Monday, 9 March 2020 at 14:13:09 GMT] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Monday, 9 March 2020 at 14:13:10 GMT] Checking if there is an error in the apache config file before starting.
[Monday, 9 March 2020 at 14:13:10 GMT] OK
[Monday, 9 March 2020 at 14:13:10 GMT] JFYI, Config file /etc/apache2/2.4/httpd.conf is backuped to /root/.acme.sh/httpd.conf
[Monday, 9 March 2020 at 14:13:10 GMT] In case there is an error that can not be restored automatically, you may try restore it yourself.
[Monday, 9 March 2020 at 14:13:10 GMT] The backup file will be deleted on success, just forget it.
[Monday, 9 March 2020 at 14:13:11 GMT] Single domain=‘ytc1.dyndns.org
[Monday, 9 March 2020 at 14:13:11 GMT] Getting domain auth token for each domain
[Monday, 9 March 2020 at 14:13:14 GMT] Getting webroot for domain=‘ytc1.dyndns.org
[Monday, 9 March 2020 at 14:13:14 GMT] Verifying: ytc1.dyndns.org
gsed: -e expression #1, char 31: Invalid content of {}
[Monday, 9 March 2020 at 14:13:18 GMT] ytc1.dyndns.org:Verify error:
[Monday, 9 March 2020 at 14:13:18 GMT] Please check log file for more details: /var/www/acme/.acme.sh/acme.sh.log

My web server is (include version):
Apache 2.4
The operating system my web server runs on is (include version):
Solaris 11.4
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
v2.8.6

I’m (fairly) certain I have my Virtualhost and Alias set up ok.
I’ve also updated the php to “whitelist” both WWWs.

History is that I have had 2 certs (which I know now is incorrect) going via 1 dyndns.

Each Apache runs in a separate S11.4 zone.
My “main” use is the ytc1-cloud.dydndns.org on port 643 and I direct that + port 80 to the my nextcloud server.

I am trying to create a certificate that is valid on both servers (as ytc1-cloud.dydndns.org and ytc1,dyndns.org). As per earlier help requests I have sorted out some misconceptions I had over the way acme is working.

If I update ytc1-cloud.dyndns.org , that works ok.
When I try to issue with ytc1.dyndns.,org as a -d , I get the above fail.

If I run with ytc1-cloud.dyndns.org it asked me to force

Where do I look next ? in my apache log I am getting this
—8<
[Mon Mar 09 14:06:56.529549 2020] [authz_core:error] [pid 5038] [client 18.224.20.83:57902] AH01630: client denied by server configuration: /home/.acme
[Mon Mar 09 14:06:56.676595 2020] [authz_core:debug] [pid 5037] mod_authz_core.c(817): [client 34.211.60.134:32622] AH01626: authorization result of Require all denied: denied
[Mon Mar 09 14:06:56.676663 2020] [authz_core:debug] [pid 5037] mod_authz_core.c(817): [client 34.211.60.134:32622] AH01626: authorization result of : denied
[Mon Mar 09 14:06:56.676674 2020] [authz_core:error] [pid 5037] [client 34.211.60.134:32622] AH01630: client denied by server configuration: /home/.acme
[Mon Mar 09 14:06:56.727537 2020] [authz_core:debug] [pid 5041] mod_authz_core.c(817): [client 66.133.109.36:61544] AH01626: authorization result of Require all denied: denied
[Mon Mar 09 14:06:56.727600 2020] [authz_core:debug] [pid 5041] mod_authz_core.c(817): [client 66.133.109.36:61544] AH01626: authorization result of : denied
[Mon Mar 09 14:06:56.727611 2020] [authz_core:error] [pid 5041] [client 66.133.109.36:61544] AH01630: client denied by server configuration: /home/.acme
—8<

Not sure if that is a clue, however I have never have a /home/.acme

1 Like

have you tried these debug steps? --debug 1 and --debug 2 How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

not necessarily... it's your choice if you want one cert with both names or two certs.

1 Like

oh, I remember you.

there are lot of directory configs for acme.sh: Options and Params · acmesh-official/acme.sh Wiki · GitHub

(acme.sh is not as easy to use as they make it sound like. but you should probably reinstall it where you need it)

1 Like

Let’s not fall out here. We will have to agree to disagree on software manageability/locations.

Acme can be used from alternate directories, as I have done.
The issue is more (possibly) to do with my NC setup, and trying to use that to drive the certs. NC is very happy with it’s own, original domain name.

I’m building a separate zone to handle the certs, and will after advice use dehydrated.

I’ll then ship the certs to the appropriate zones.

Then I’ll be back with more questions :slight_smile:

1 Like

For the curious, the issue was actually in Apache
In my httpd.conf I had a (series of) wellknown alias lines that were set (correctkly) to /tmp/.acme.

But were preceded by on that was set to /home/.acme
The issue with two -d(s) then went through. :slight_smile:
But it only generated the one cer file :frowning: for the 1st domain listed

Off to trouble shoot more (as well as play with dehydrate in another zone).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.