Error while creating certificate for domain and subdomain together using certbot

My domain is: test-projects.me
My sub-domain is : mail.test-projects.me

I ran this command: certbot certonly --standalone -n --dry-run --agree-tos --no-eff-email --preferred-challenges http -m email -d test-projects.me -d mail.test-projects.me --redirect --keep

It produced this output: Failed authorization procedure. mail.test-projects.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.test-projects.me/.well-known/acme-challenge/ko-sc2QpoA0Hoz85gotqBLsLIGTzK-arJqQf2kv_Y_A: Connection refused

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: AWS Route 53

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Additional Information:
I am getting this error when I try to generate the certificate using above mentioned command from machine pointed by test-projects.me but if I remove the subdomain and run this command to generate certificate only for test-projects.me it doesn’t give any error.
certbot certonly --standalone -n --dry-run --agree-tos --no-eff-email --preferred-challenges http -m email -d test-projects.me --redirect --keep
Similarly it works if I generate certificate for mail.test-projects.me from it’s own machine.
So the main issue is I can’t generate domain and subdomain certificate in a single command from the main domain machine.
Also, I am able to ssh to both the machines pointed by my domains.

Hi @harshk

that's the expected result.

Your main domain ( https://check-your-website.server-daten.de/?q=test-projects.me ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
test-projects.me A 50.16.57.11 Ashburn/Virginia/United States (US) - Amazon.com, Inc. Hostname: ec2-50-16-57-11.compute-1.amazonaws.com yes 1 0
AAAA yes
www.test-projects.me A 50.16.57.11 Ashburn/Virginia/United States (US) - Amazon.com, Inc. Hostname: ec2-50-16-57-11.compute-1.amazonaws.com yes 1 0
AAAA yes

And your subdomain ( https://check-your-website.server-daten.de/?q=mail.test-projects.me ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
mail.test-projects.me A 34.193.199.223 Ashburn/Virginia/United States (US) - Amazon.com, Inc. Hostname: ec2-34-193-199-223.compute-1.amazonaws.com yes 1 0
AAAA yes
www.mail.test-projects.me Name Error yes 1 0

So there are different ip addresses.

If you want to use http-validation, then Certbot must be able to create the validation files, Letsencrypt checks these. That's not directly possible if both domain names have different ip addresses (not pointing to the same server certbot is running).

But you can create a redirect

 http://mail.test-projects.me/.well-known/acme-challenge/random-filename

to your main server http + /.well-known/acme-challenge/random-filename, then use Certbot + --webroot on your main domain.

Read

https://certbot.eff.org/docs/using.html

and something about challenge types:

Do you really need a certificate for both names on the second machine? Why?

The simplest procedure is to install Certbot on each machine and have each one get their own certificate(s) for name(s) pointed to that machine.

There are a couple ways to get certificates for the other name on the other machine, but why do you want to?

No I don’t but Since there is a rate limit applicable to generation of certificates. With this way I can register upto 5000 domains per week as state here:

If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate . Combined with the above limit, that means you can issue certificates containing up to 5,000 unique subdomains per week.

Though I am not sure if the same rate limit is applicable if I generate certificate for each subdomain on it’s own machine?

Hi @JuergenAuer

Thank you for your instant reply. I understood my mistake but I am not clear on the solution you mentioned to create a redirect. Can you elaborate on it some more.
I tried to run the command this way after reading about webroot

certbot certonly --webroot -n --dry-run --agree-tos --no-eff-email --preferred-challenges http -m email -w /var/www/letsencrypt -d test-projects.me -d mail.test-projects.me --redirect --keep

but I still get same error:

Failed authorization procedure. mail.test-projects.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.test-projects.me/.well-known/acme-challenge/xwpLoHClmtQWC-PM5Vuokjeyhog6OBs21HVMyhxCJMc: Connection refused

Makes sense, but it's more complicated if you're not going to be creating that many certificates.

The per-domain rate limits don't take into account how many machines are in use.

1 Like

Thank you for clarifying that.
I would still want to know what am I doing wrong with my previous approach. So if you could help me with that, it would be great

Using HTTP validation to get certificates for test-projects.me and mail.test-projects.me requires that requests to http://test-projects.me/.well-known/acme-challenge/xxxxxxxxxx and http://mail.test-projects.me/.well-known/acme-challenge/yyyyyyyyyy respond with the required data.

The Certbot webroot plugin requires that you already have a web server running.

If you’re getting a “connection refused” error, there probably isn’t a web server running, or maybe it’s being blocked by a firewall, or there’s port forwarding involved and there’s an issue with the setup.

To use HTTP validation for a website hosted on another server, you could configure the web server on that server to reverse proxy or redirect the requests to the first server. Or set up something like NFS. Or some ACME clients support copying files to another server. (Certbot doesn’t have something built in, but you could write a hook.)

Since you’re using Route 53, the simpler solution would be to install the Certbot Route 53 DNS plugin and use DNS validation.

However, you would still have to script something to copy the certificates to the other computer, reload any daemons using them, etc.

It’s simpler to have each server issue its own certificates.

1 Like

There is no running webserver. And if there is a running webserver, there must be a redirect to your other domain.

Things you have to do before you run certbot. And you can (and should) check this setup before you start certbot.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.