Error https activate for sub domain name


#1

Please fill out the fields below so we can help you better.

My domain is:woe.fr

I ran this command:./certibot-auto

It produced this output:

My operating system is (include version):debian 7

My web server is (include version):apache
My hosting provider, if applicable, is:OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):if need

Hello every body, first sorry for my english i’m french.
I need your help today for 2 differents points:

  1. when i try to generate https it’s write:
    IMPORTANT NOTES:
  • The following errors were reported by the server:

    Domain: admin.woe.fr
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    02caa707299d474e8ec293ec73c023f8.8d07a8fd6a4ede67e54cac6357058a83.acme.invalid
    from 37.187.7.10:443. Received certificate containing ‘woe.fr

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.
    how can i solve it ?

  1. i make a mistake fo one subdomain declaration, how can i edit it ?

Thx a lot !


#2

Well, with regard to your second problem: you didn’t successfully get a certificate, so I guess there isn’t something to correct. Just run ./certbot-auto a second time (if the first problem is fixed :stuck_out_tongue:) and also include the subdomain you forgot earlier.

With regard to your first problem: this could be an issue with your Apache configuration, specifically the <VirtualHost> sections. Could you check your Apache configuration files for these <VirtualHost> sections and see if all of them are in the form of <VirtualHost *:80> or <VirtualHost *:443>? Because sometimes there are <VirtualHost *> or <VirtualHost *:*> sections and those latter ones can give problems with the SNI feature of Apache, which is needed for the TLS-SNI-01 challenge.


#3

Hello thx for your reply, i go check my vitrualHost, and i tell you :slight_smile:

But for my second problem, i need to modify subdomaine, not include.
may be delete to create again ?

thx a lot !


#4

I’m not sure I understand. You ran ./certbot-auto without any other commands, right? After that command, you got a list of (sub)domains, fetched from your Apache configuration files, where you could specify one or more domains or subdomains, right? But because there was an error after that step (you never saw “Congratulations!”, correct?), if you run ./certbot-auto again, you can specify those (sub)domains from the same list as before, again. :slight_smile:


#5

Hello Osiris,
when i make ./certbot-auto, it write: please choose sub domains to generate https files (somethings like this). i can not specify new domains or subdomains. I have added last time domains, but i have make mistake, and it save it :confused:


#6

Please copy/paste the complete output of certbot, because I still don’t quite understand.


#7

root@:/home/CertbotSSL# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: woe.fr
2: admin.woe.fr
3: forums.woe.fr
4: www.woe.fr

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for admin.woe.fr
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. forums.woe.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for forums.woe.fr, admin.woe.fr (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 02caa707299d474e8ec293ec73c023f8.8d07a8fd6a4ede67e54cac6357058a83.acme.invalid from 37.187.7.10:443. Received certificate containing ‘woe.fr

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: admin.woe.fr
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
02caa707299d474e8ec293ec73c023f8.8d07a8fd6a4ede67e54cac6357058a83.acme.invalid
from 37.187.7.10:443. Received certificate containing ‘woe.fr

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

It does not ask me to add new domains…

But i don’t understand what’s wrong in my apache file (VirtualHost).
Have you exemple of this files ?
i have this:

VirtualHost 37.187.7.10:443>
ServerName admin.woe.fr
DocumentRoot /var/woe/admin/www/
CustomLog ${APACHE_LOG_DIR}/access/accessadmin.log combined
ErrorLog ${APACHE_LOG_DIR}/error/erroradmin.log
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/woe.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/woe.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/woe.fr/chain.pem
SSLVerifyClient None
/VirtualHost>


#8

You can select more than one (sub)domain when asked… You just entered only ‘2’ (for admin.)

Anyway, for the problem of the issuing: you could try to change the IP address in the <VirtualHost> directive to an asterisk (*), so Apache uses SNI.


#9

First i wish glad you again for your help !

But when i put * it’s simply not work, my webpage not show !
May be i have wrong information in my file:
/etc/apache2/sites-enabled/woe
or
/etc/apache2/sites-available/default
or
/etc/apache2/sites-available/default-ssl

Have you small exemple of each ?


#10

No examples, sorry. But if you paste them somewhere for us to see, we might be able to figure out why it doesn’t work.


#11

Please find config file here:
woe.fr/dl.zip

thx so much


#12

Could you run certbot-auto with the -v switch? For more verbose output. Among that output, you’ll see something like:

Performing the following challenges:
tls-sni-01 challenge for yourdomain
Adding Include /etc/apache2/vhosts.d/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/httpd.conf
writing a config file with text:
...Apache configuration stuff...

I’m interested in the apache configuration file it says there.

I still believe the error you’re getting is because Apache is confused with regard of SNI. Apache has a extensive page about name-based virtual hosting, including if and how IP’s are used in directives. I’m still guessing it has something to do with that. (Personally, I never use an IP address in my configuration files, because I just use one. Always a “*”.)

Also: in default.conf you have a <VirtualHost *:443> section for www.woe.fr with a few ServerAliasses. Did you add that later on? Because you’ve got all your directives already in woe.conf. Perhaps a little bit too much :stuck_out_tongue:

Aaaaaand, you ALSO have your woe.fr mentioned in default-ssl.conf?!? No wonder Apache doesn’t understand it :stuck_out_tongue: If I were you, I’d clean up my Apache configuration files: keep all the defaults default and just use woe.conf for your site. Also, certbot works best with just one configuration file per virtualhost section.

From the Apache site:

It is important to recognize that the first step in name-based virtual host resolution is IP-based resolution. Name-based virtual host resolution only chooses the most appropriate name-based virtual host after narrowing down the candidates to the best IP-based match. Using a wildcard (*) for the IP address in all of the VirtualHost directives makes this IP-based mapping irrelevant.


#13

yes i have add it in defaut.conf, and i see after that it was automaticaly add in default-ssl conf :confused:

that why i wish have exemple, because i think that i have some mistake.
about apache site: i’m sorry, i don’t understand what it’s write.

You think that i must clear (so erase all?) my default file ? i don’t understand what i must make :frowning:


#14

In French.


#15

is better: Default

VirtualHost *:80>
ServerAdmin woe@woe.fr
DocumentRoot /var/woe/site/www

Options FollowSymLinks
#AllowOverride None
/Directory>
Directory /var/woe/site/www/>
Options Indexes FollowSymLinks MultiViews
#AllowOverride None
Order allow,deny
allow from all
/Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
/Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
/VirtualHost>

DEFAULT SSL:

IfModule mod_ssl.c>
VirtualHost *:443>
ServerAdmin woe@woe.fr
DocumentRoot /var/woe/site/www
Directory />
Options FollowSymLinks
AllowOverride None
/Directory>
Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
#AllowOverride None
Order allow,deny
allow from all
/Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
/Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/woe.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/woe.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/woe.fr/chain.pem
SSLVerifyClient None

ServerName woe.fr
ServerAlias admin.woe.fr
ServerAlias forum.woe.fr
ServerAlias www.woe.fr
SSLCertificateChainFile /etc/letsencrypt/live/woe.fr/chain.pem
/VirtualHost>
/IfModule>

and woe conf:

NameVirtualHost *:80

VirtualHost *:80>
ServerName forum.woe.fr
DocumentRoot /var/woe/fofo/www/
CustomLog ${APACHE_LOG_DIR}/access/accessfofo.log combined
ErrorLog ${APACHE_LOG_DIR}/error/errorfofo.log
#
#php_admin_value open_basedir /var/woe/fofo/www/
/IfModule>
/VirtualHost>

VirtualHost *:80>
ServerName admin.woe.fr
DocumentRoot /var/woe/admin/www/
#CustomLog ${APACHE_LOG_DIR}/accessadmin.log combined
#ErrorLog ${APACHE_LOG_DIR}/erroradmin.log
CustomLog ${APACHE_LOG_DIR}/access/accessadmin.log combined
ErrorLog ${APACHE_LOG_DIR}/error/erroradmin.log
/VirtualHost>

VirtualHost *:80>
ServerName maj.woe.fr
DocumentRoot /var/woe/maj/www/
CustomLog ${APACHE_LOG_DIR}/access/accessmaj.log combined
ErrorLog ${APACHE_LOG_DIR}/error/errormaj.log
/VirtualHost>

VirtualHost *:80>
ServerName woe.fr
DocumentRoot /var/woe/site/www/
CustomLog ${APACHE_LOG_DIR}/access/accesssite.log combined
ErrorLog ${APACHE_LOG_DIR}/error/errorsite.log
/VirtualHost>

VirtualHost *:80>
ServerName www.woe.fr
DocumentRoot /var/woe/site/www/
CustomLog ${APACHE_LOG_DIR}/access/accesssite.log combined
ErrorLog ${APACHE_LOG_DIR}/error/errorsite.log
/VirtualHost>
########################################################################

NameVirtualHost *:443

VirtualHost *:443>
ServerName www.woe.fr
DocumentRoot /var/woe/site/www/
CustomLog ${APACHE_LOG_DIR}/access/accesssite.log combined
ErrorLog ${APACHE_LOG_DIR}/error/errorsite.log
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/woe.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/woe.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/woe.fr/chain.pem
SSLVerifyClient None
/VirtualHost>

VirtualHost *:443>
ServerName admin.woe.fr
DocumentRoot /var/woe/admin/www/
CustomLog ${APACHE_LOG_DIR}/access/accessadmin.log combined
ErrorLog ${APACHE_LOG_DIR}/error/erroradmin.log
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/woe.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/woe.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/woe.fr/chain.pem
SSLVerifyClient None
/VirtualHost>

VirtualHost *:443>
ServerName forum.woe.fr
DocumentRoot /var/woe/fofo/www/
CustomLog ${APACHE_LOG_DIR}/access/accessfofo.log combined
ErrorLog ${APACHE_LOG_DIR}/error/errorfofo.log
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/woe.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/woe.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/woe.fr/chain.pem
SSLVerifyClient None
/VirtualHost>


#16

With regards to the VirtualHost sections: yes.

But you still have multiple double ServerName/ServerAlias directives. That is not necessary, even unwanted I guess. IMO you should give your “default” configuration files some stupid ServerName (localhost) with a non-usefull DocumentRoot. Apache will use that VirtualHost as a “default” when someone connects to your server without providing a useful hostname.
Then, you’d put your woe.fr VirtualHost sections in separate configuration files. woe.fr.conf, forum.woe.fr.conf, admin.woe.fr.conf. That way, certbot will understand it better. (Unless they bunked that bug already… :stuck_out_tongue:)


#17

Thx a lot Osiris,i have create with using /certbot -certonly
i must use this command for each subdomaine.
I have try to put all with comma, but not work °°
So hope renew was easy now :smile:


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.