Hi all,
Firstly - thank you to LE for providing such an important service, and thanks to you community members for helping people like me. It’s truly appreciated.
My domain is: portal.dfafrica.co.za
My web server is HAProxy 1.7.8
The operating system my web server runs on is Ubuntu 16.04
I can login to a root shell on my machine and I am not using a control panel.
I ran this command: certbot certonly --standalone --preferred-challenges http --http-01-port 80 -d portal.dfafrica.co.za
I also ran this command: certbot certonly --standalone --test-cert --dry-run --verbose --domains portal.dfafrica.co.za
I was planning on setting up my LE cert using the Digital Ocean tutorial, as per Certbot’s page, when I ran into this issue.
The HAProxy, and the nodes behind it are all on a private 10.x network, and the firewall with the public IP is supposed to be routing TCP 80 and 443 traffic to the machine running HAProxy. I need some help understanding exactly what is going on here, as I’ve never seen the below error message before, and the 2 hosts certbot found, autdiscover and mail1.dfafrica.co.za are not on the same machine at all.
It should also be noted that serving HTTP traffic works as expected when HAProxy is running (I do kill HAProxy when attempting to run certbot), which makes it doubly weird that a standalone certbot server cannot serve a .well-known
file.
I’m really stumped here, so any advice or help would be extremely appreciated.
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for portal.dfafrica.co.za
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. portal.dfafrica.co.za (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 16d4189a68138f9c7f5e7927fe3859ff.24ef1da330fc51fe9de9c080a0adb328.acme.invalid from 105.22.32.34:443. Received 3 certificate(s), first certificate had names "autodiscover.dfafrica.co.za, mail1.dfafrica.co.za"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: portal.dfafrica.co.za
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
16d4189a68138f9c7f5e7927fe3859ff.24ef1da330fc51fe9de9c080a0adb328.acme.invalid
from 105.22.32.34:443. Received 3 certificate(s), first certificate
had names "autodiscover.dfafrica.co.za, mail1.dfafrica.co.za"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.