Get certiciates for several virtual machines on same public IP


#1

Hello to all :wink:

I’ve got several VMs (ngnix, apache…) with the same public IP. The route to those VMs are setup using pfsense.

I could correctly create certificates for domain1, domain2 and domain3 on the 1st machine, but as soon as I try to create certificates for domain4, domain5 and domain6 on the 2nd machine I get an error message ‘Failed authorization procedure’.

This is the error message I get:

Failed authorization procedure. domain4 (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested f407402795165e573aafbc0637b53813.5665c8d356a2d91ab52dd287d7530449.acme.invalid from :443. Received certificate containing ‘domain1, domain2, domain3’

This message is followed by an other one:

IMPORTANT NOTES:

  • The following errors were reported by the server:
    Domain: domain4
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    f407402795165e573aafbc0637b53813.5665c8d356a2d91ab52dd287d7530449.acme.invalid
    from :443. Received certificate containing
    ’domain1, domain2, domain3’
    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

Is there a way to issue certificates for domains which are located on several virtual machines on the same public IP address ?

Many thanks in advance.


#2

Hi @cym, can you explain what you mean by “located on”? In what way do they share the same IP address? Do they all have web servers running or something?

This sounds like it’s probably akin to the question of getting certs for internal sites, where people have had some luck with a web proxy (or HTTP redirector) that looks for the http://subdomain.example.com/.well-known/acme-challenge/ requests and forwards them appropriately, or for the DNS challenge type, where you can prove your control of a domain by adding records into your DNS zone (without requiring a direct certificate authority connection to the individual servers).


#3

Hi Schoen, many thanks for the reply :wink:

“located on” several VMs" : I meant to say that I have one physical machine, with 2 virtual machines on it, and multiple domains on each of them. All these machines are on the same network and share the same public IP. Routing of the dataflow coming from this single IP toward multiple internal IPs is performed by PFSENSE.

I would like to get certificates for several domains running on one machine and several other domains on the second machine. But I’m blocked after having successfully setup the first run of certificates for the first machine, by a message that I interpret like “You try to authenticate with this IP, but this IP corresponds to other domains !”.

I would like to try DNS challenge as an alternative. Is it compulsory to use another script ? Or may I use certbot also with DNS challenge ?


#4

Hi @cym, in this case the problem is that your pfsense would need to dynamically route each incoming TLS connection to the right host based on the content of the SNI field in the connection, but this is hard to do because the correspondence is unpredictable. Basically, the pfsense routing would need to be integrated with the Let’s Encrypt client somehow in order to say “this incoming connection corresponds to a proof of control for this domain, while that one corresponds to a proof of control for that one”, with each one then being routed to the appropriate server. But the domain names themselves do not appear in the request, so telling the routing to do this is non-trivial. (It could probably be done with a custom shell script in the script plugin in new versions of Certbot, but it might still take some work.)

The most current Certbot release supports the DNS challenge. This support has existed for longer in the bash-based client implementations.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.