Inside Vagrant, with domain resolving to another host

My domain is:
www.vortechmusic.com

I ran this command:
sudo certbot --nginx -d vortechmusic.com -d www.vortechmusic.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for vortechmusic.com
tls-sni-01 challenge for www.vortechmusic.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.vortechmusic.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested c8fa7189fb0faa1923f78c7b74f096af.cd0ad000a07df2510614682a543c1ec1.acme.invalid from 77.240.19.9:443. Received 2 certificate(s), first certificate had names "*.louhi.net, louhi.net", vortechmusic.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 42b029fca7a25090c8ef1df9337a8332.710165d142822ac3e84f7c5ebc11f0a9.acme.invalid from 77.240.19.9:443. Received 2 certificate(s), first certificate had names "*.louhi.net, louhi.net"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.vortechmusic.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   c8fa7189fb0faa1923f78c7b74f096af.cd0ad000a07df2510614682a543c1ec1.acme.invalid
   from 77.240.19.9:443. Received 2 certificate(s), first certificate
   had names "*.louhi.net, louhi.net"

   Domain: vortechmusic.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   42b029fca7a25090c8ef1df9337a8332.710165d142822ac3e84f7c5ebc11f0a9.acme.invalid
   from 77.240.19.9:443. Received 2 certificate(s), first certificate
   had names "*.louhi.net, louhi.net"

My web server is (include version):
Nginx 1.10.3

The operating system my web server runs on is (include version):
Inside a local Vagrant VM: Ubuntu 16.04 (64-bit)

My hosting provider, if applicable, is:
Louhi.fi (AKA Louhi.net)

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

So basically what I am doing is preparing to move my existing domain+host to another host, while keeping the existing domain in the current provider. I am trying to test that inside a Vagrant VM, but it seems it cannot be done or? How would I test it so that I could get a certificate for the existing domain to my Vagrant Ubuntu? Or can I only get the certificate inside the host that the domain points to?

Here is my local test config in /etc/nginx/sites-enabled/vortechmusic.com

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/vortechmusic.com;

        index index.html index.htm index.nginx-debian.html;

        server_name vortechmusic.com www.vortechmusic.com;

        location / {
                try_files $uri $uri/ =404;
        }

        location '/.well-known/acme-challenge' {
                default_type "text/plain";
                root /srv/letsencrypt;
        }
}

server {
        listen 443 ssl default_server;
        server_name vortechmusic.com www.vortechmusic.com;
        location / {
                try_files $uri $uri/ =404;
        }

        location '/.well-known/acme-challenge' {
                default_type "text/plain";
                root /srv/letsencrypt;
        }
}

The nginx plugin uses tls-sni-01 challenges by default. Unlike webroot (where a file is placed in .well-known/acme-challenge), tls-sni-01 modifies your web server config to temporarily serve a certificate matching the challenge info on a specific SNI name. If something terminates TLS before it hits your server, then this method will fail because whatever is terminating TLS has no knowledge of this fake SNI name or the certificate to serve for it, so it just serves up whatever the default certificate is.

In this instance, I would recommend switching your authentication challenge type to http-01 instead, while still using the nginx intaller. This can be done with sudo certbot run -i nginx -a webroot -d vortechmusic.com -d www.vortechmusic.com

1 Like

If you are using local VM, which is not exposed to the Internet on neither 80 nor 443 TCP port, then you have to use manual authentication plugin, described here: https://certbot.eff.org/docs/using.html#manual. It will show you instructions on how to authorize your domain (but you can also use hooks to fulfill challenge using custom written scripts). Probably the easiest challenge type to use would be dns (you only have to add DNS record), but you can also use http (you would have to create file on your existing host); you may use --preferred-challenges argument to select which one would you like to use.

You would be probably also interested in combining manual authentication plugin with nginx installation plugin (https://certbot.eff.org/docs/using.html#combining-plugins); --nginx argument is a shorthand for “use nginx plugin for both authentication and install”. Something like that should do the trick:

certbot run -a manual -i nginx -d vortechmusic.com -d www.vortechmusic.com
1 Like

Awesome, the manual process worked like a charm :slight_smile: Thanks!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.