"Failed to request service certificate" "Invalid response from" all but primary domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

resplendentwebservices.com
extremewebservices.com

I ran this command:

sudo /usr/local/bin/le-cp hostcert add whm.resplendentwebservices.com

It produced this output:

Mar 06 12:17:32 li970-241.members.linode.com letsencrypt.live.cgi[19509]: time=“2020-03-06T12:17:32-05:00” level=info msg=“Got Hostcert settings update, skipping rest of sleep interval”
Mar 06 12:17:32 li970-241.members.linode.com letsencrypt.live.cgi[19509]: time=“2020-03-06T12:17:32-05:00” level=info msg=“Beginning Hostcert run …”
Mar 06 12:17:32 li970-241.members.linode.com letsencrypt.live.cgi[19509]: time=“2020-03-06T12:17:32-05:00” level=info msg=“Checking service certificates” HostDomain=li970-241.members.linode.com
Mar 06 12:17:32 li970-241.members.linode.com letsencrypt.live.cgi[19509]: time=“2020-03-06T12:17:32-05:00” level=info msg=“Fetching new certificate for service” Document Root=/usr/local/apache/htdocs Domain=li970-241.members.linode.com Extra Names="[whm.resplendentwebservices.com]" Service=cpanel
Mar 06 12:17:33 li970-241.members.linode.com letsencrypt.live.cgi[19509]: time=“2020-03-06T12:17:33-05:00” level=info msg=“Created http-01 validation file” authz=“https://acme-v02.api.letsencrypt.org/acme/authz-v3/3199773751” destination=/var/www/html/.well-known/acme-challenge/Gr3DDfli1qrkwYi-Ubm8Va6f4_aC74oEBdap8hCKjcc elapsed=“179.56µs”
Mar 06 12:17:33 li970-241.members.linode.com letsencrypt.live.cgi[19509]: time=“2020-03-06T12:17:33-05:00” level=info msg=“Created http-01 validation file” authz=“https://acme-v02.api.letsencrypt.org/acme/authz-v3/3199773751” destination=/usr/local/apache/htdocs/.well-known/acme-challenge/Gr3DDfli1qrkwYi-Ubm8Va6f4_aC74oEBdap8hCKjcc elapsed=“170.45µs”
Mar 06 12:17:34 li970-241.members.linode.com letsencrypt.live.cgi[19509]: time=“2020-03-06T12:17:34-05:00” level=error msg=“Failed to request service certificate” Document Root=/usr/local/apache/htdocs Domain=li970-241.members.linode.com Extra Names="[whm.resplendentwebservices.com]" Service=cpanel error=“Updating challenge for whm.resplendentwebservices.com: acme: error code 403 “urn:ietf:params:acme:error:unauthorized”: Invalid response from http://whm.resplendentwebservices.com/.well-known/acme-challenge/Gr3DDfli1qrkwYi-Ubm8Va6f4_aC74oEBdap8hCKjcc [45.79.51.51]: “\n\n404 Not Found\n\n

Not Found

\n<p” (order URL: https://acme-v02.api.letsencrypt.org/acme/order/79580458/2557170494)”

My web server is (include version):

Apache 2.4

The operating system my web server runs on is (include version):

Centos 7.7

My hosting provider, if applicable, is:

Linode

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

cPanel v84.0.21

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

letsencrypt-cpanel 0.15.1

Generally this will happen if the domain ( resplendentwebservices.com ) is already bound to a cPanel account. In that case, you just need to issue the certificate from within that cPanel account, rather than trying to include it in the global service certificate.

Can you comment on whether that’s the case?

It is bound to an account.

However, I’ve now succeeded in getting the mail server name passed and am only having issues with the cPanel automatic subdomains.

As a general guideline, you should avoid mixing the server hostname with any domains that are going to be on actual cPanel accounts.

That much is stated in the official docs (https://documentation.cpanel.net/display/84Docs/Change+Hostname):

  • Do not choose a hostname that a cPanel account on your server will use.

Because whm.resplendentwebservices.com is a proxy subdomain associated with the resplendentwebservices.com cPanel account, that takes precedence (i.e. gets routed to /home/$USER/public_html/ rather than to /var/www/html) - which is what results in the validation failing for the global service certificate.

This type of mixed setup tends to punish you in the long term (IME anyway).

I think the “proper” thing is that the global service certificate will be your Linode one, but that doesn’t mean that whm.resplendentwebservices.com won’t be secured - you can secure that from within the cPanel account, and it still will appear for browsers/mail clients/whatever thanks to SNI.

You can also get directly in touch with me or someone else for direct support with the plugin, but posting here is fine if you want.

1 Like