Help with standalone registration behind a firewall with a shared IP

gee-forr · July 25, 2017, 6:57pm

Hi all,

Firstly - thank you to LE for providing such an important service, and thanks to you community members for helping people like me. It’s truly appreciated.

My domain is: portal.dfafrica.co.za
My web server is HAProxy 1.7.8
The operating system my web server runs on is Ubuntu 16.04
I can login to a root shell on my machine and I am not using a control panel.

I ran this command: certbot certonly --standalone --preferred-challenges http --http-01-port 80 -d portal.dfafrica.co.za
I also ran this command: certbot certonly --standalone --test-cert --dry-run --verbose --domains portal.dfafrica.co.za

I was planning on setting up my LE cert using the Digital Ocean tutorial, as per Certbot’s page, when I ran into this issue.

The HAProxy, and the nodes behind it are all on a private 10.x network, and the firewall with the public IP is supposed to be routing TCP 80 and 443 traffic to the machine running HAProxy. I need some help understanding exactly what is going on here, as I’ve never seen the below error message before, and the 2 hosts certbot found, autdiscover and mail1.dfafrica.co.za are not on the same machine at all.

It should also be noted that serving HTTP traffic works as expected when HAProxy is running (I do kill HAProxy when attempting to run certbot), which makes it doubly weird that a standalone certbot server cannot serve a .well-known file.

I’m really stumped here, so any advice or help would be extremely appreciated.

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for portal.dfafrica.co.za
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. portal.dfafrica.co.za (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 16d4189a68138f9c7f5e7927fe3859ff.24ef1da330fc51fe9de9c080a0adb328.acme.invalid from 105.22.32.34:443. Received 3 certificate(s), first certificate had names "autodiscover.dfafrica.co.za, mail1.dfafrica.co.za"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: portal.dfafrica.co.za
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   16d4189a68138f9c7f5e7927fe3859ff.24ef1da330fc51fe9de9c080a0adb328.acme.invalid
   from 105.22.32.34:443. Received 3 certificate(s), first certificate
   had names "autodiscover.dfafrica.co.za, mail1.dfafrica.co.za"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

schoen · July 25, 2017, 7:12pm

You’re using tls-sni-01, which is based on the certificate served in TLS. This uses port 443 and doesn’t work if you have another listener running.

I think the problem might be --preferred-challenges http (if I remember correctly, the right form should be --preferred-challenges http-01 rather than http).

gee-forr · July 26, 2017, 7:32am

Hi @schoen

Thanks so much for the response

Sorry for the confusion, but the output I pasted was from the second command example I supplied. I did indeed try the http-01 route first.

I’ve asked the network admin to give this system a dedicated IP address that’s not being used by anything else. As soon as that’s ready, I’ll feed back.

gee-forr · July 26, 2017, 9:56am

Howdy all,

I got it working once it got assigned a dedicated IP addr. Thanks for all the help

system · August 25, 2017, 9:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.