DNS Names A/ AAAA errors?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: it-h.net

I ran this command: sudo certbot --apache

It produced this output:
Failed authorization procedure. mail.it-h.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested db41f1ba3c7454f5e65032d744158005.5197365a8c5e7dd4f7746f30fc5bcc11.acme.invalid from 47.187.64.174:443. Received 2 certificate(s), first certificate had names “it-h.net”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.it-h.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    db41f1ba3c7454f5e65032d744158005.5197365a8c5e7dd4f7746f30fc5bcc11.acme.invalid
    from 47.187.64.174:443. Received 2 certificate(s), first
    certificate had names “it-h.net”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 14.04 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NONE

I was able to authorize the main server it-h.net with no problem.

There seems to be some confusion in your system.
The certbot thinks you have two certs:
it-h.net
mail.it-h.net
(both resolve to same IPv6 address = good)
And is trying to renew them both…
But there has been no cert issued for mail.it-h.net (https://crt.sh/?q=mail.it-h.net)

Please show:

  1. sudo certbot --version
  2. sudo certbot certificates

A simple fix might be:
sudo certbot --apache -d it-h.net -d mail.it-h.net
(which should provide you with one new cert with both names on it)

This is the result whether I use it-h.net and mail.it-h.net or just mail.it-h.net

Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for it-h.net
tls-sni-01 challenge for mail.it-h.net
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. it-h.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 962dcea600a211c991f09537a870a140.d950eddcc240eeaaee4e1d38c379704e.acme.invalid from 47.187.64.174:443. Received 2 certificate(s), first certificate had names “it-h.net”, mail.it-h.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 5e5ff820e6672e2e2f913d72ddef2b5f.b8178ab0d624d6a0ac906260f1cf2abc.acme.invalid from 47.187.64.174:443. Received 2 certificate(s), first certificate had names “it-h.net”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: it-h.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    962dcea600a211c991f09537a870a140.d950eddcc240eeaaee4e1d38c379704e.acme.invalid
    from 47.187.64.174:443. Received 2 certificate(s), first
    certificate had names “it-h.net”

Domain: mail.it-h.net
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
5e5ff820e6672e2e2f913d72ddef2b5f.b8178ab0d624d6a0ac906260f1cf2abc.acme.invalid
from 47.187.64.174:443. Received 2 certificate(s), first
certificate had names “it-h.net”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

mbox@mail:~$ sudo certbot --version
certbot 0.19.0

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


No certs found.

Please show the vhost configs for both domains.

I don’t know how to do that with this tool. It is worth noting that it-h.net is on its own box while the mail server (mail.it-h.net) is on a separate machine.

With regards to mail.it-h.net:

Let’s Encrypt cannot verify you own mail.it-h.net because you are performing the validation procedure with certbot on a different machine. You must obtain the certificate for mail.it-h.net by running certbot on that machine instead.

With regards to it-h.net:

I suspect you are missing the following line somewhere in your Apache configuration:

NameVirtualHost *:443

If you run grep -r NameVirtualHost /etc/apache2 does it return the above line?

If not, add it to your Apache configuration, either somewhere at the top level or within an existing <IfModule mod_ssl.c> block.

Note that if you do not use virtual hosts, Apache will display a warning that this line is not necessary, and it isn’t for normal operation but it is when certbot is performing validation. So you can safely ignore this warning.

This is what happened and then i ran a dry run....

ith@it-h:~$ grep -r NameVirtualHost /etc/apache2
ith@it-h:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/it-h.net.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for it-h.net
Waiting for verification...
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/it-h.net/fullchain.pem


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/it-h.net/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

There is no way for me to get a certification on the second machine? My main site does show it is secure https://it-h.net

Ok, so for now so that I am up and running the way I am intended… I have put the web and mail server onto the same physical box… Maybe later on there will be a way to have all the names on the main machine and a mail.it-h.net can query it-h.net and see it has a cert there to install?

Thanks to everyone for your assistance!

I’m glad you got it working for now!

If mail.it-h.net is on a different machine than it-h.net, then it-h.net wouldn’t need mail.it-h.net’s certificate for anything, and mail.it-h.net wouldn’t need it-h.net’s certificate for anything.

One of the purposes of separating services among different machines is to protect the other machines in the event one is compromised. You really don’t want it-h.net to know mail.it-h.net’s private key unless you have a really good reason.

So, the simplest and most secure solution is to just run certbot on each machine to obtain each one its own certificate.

If your concern was that you didn’t want to run a web server on your mail server, certbot has a standalone mode that runs a temporary one so you don’t need Apache or Nginx installed.

There are ways to obtain certificates using other machines than the one actually running on the domain, but it’s difficult to suggest a strategy for that without understanding why you want to do that in first place.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.