Issue certificate for A1.xxxx.com via letsencrypt


#1

Hi
if i have purchased sign certificate for www.xxxx.com and want to issue certificate for A1.xxxx.com via letsencrypt, is this will affect my purchased one.

Thanks,
Amna


#2

Hi @amna,

Issuing a Let’s Encrypt certificate for A1.xxxx.com will not affect any other certificates you have issued from Let’s Encrypt, or purchased from another CA, for the www.xxxx.com domain. The only thing to be aware of from the Let’s Encrypt side are our rate limits.

Hope that helps!


#3

In and of themselves, certificates don’t conflict with each other.

However, some CAs choose to punish customers who get certificates from other CAs. You would have to read the fine print in your contract, or ask them, to confirm they won’t do anything shady.


#4

Hi Cpu
Thanks alot for quick reply, sorry another question.
As per the mentioned link, the rate limit is 20 cert per week, right? so if i want to issue theses domains (A1.xxxx.com , B1.xxxx.com, C1.xxxx.com, D1.xxxx.com)
via this command (certbot --apache -d A1.xxxx.com -d B1.xxxx.com -d C1.xxxx.com -d D1.xxxx.com), these will consider one cert or 4 cert. (Note: www.xxxx.com —> purchased from another CA)


#5

One certbot command issues one certificate.

One certificate can include up to 100 names.

If you wanted to create 4 certs, you would have to run 4 commands, like “certbot --apache -d a1.xxxx.com” and “certbot --apache -d b1.xxxx.com” and so forth.


#6

i have tried the below command to create cert but found the below error
certbot --apache -d A1.xxxx.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for A1.xxxx.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

this vhost already exist and i can access my website so what’s wrong.

also i have tried a below command but not solve my issue
certbot --apache -a webroot -w /www/ -d A1.xxxx.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Too many flags setting configurators/installers/authenticators ‘webroot’ -> ‘apache’

Actually i want to create (cert, key,chain) files then i will add then in vhost-ssl.conf file because my apache installation is complied not standard installation

another question : if my domain protected by http authentication, how to pass username/password in certbot command


#7

I’m not sure, but I’m happy to investigate if you can post that virtual host configuration and also the Certbot log from /var/log/letsencrypt.

--apache contradicts -a webroot because --apache is a short version for -a apache -i apache, so --apache -a webroot means -a apache -i apache -a webroot and Certbot doesn’t know which authenticator plugin you want.

You probably want to leave off the --apache option completely if you’re using -a webroot.

Try certbot certonly -a webroot -w /www -d A1.xxxx.com

You can’t; you need to make an exception so that the HTTP authentication doesn’t apply to /.well-known/acme-challenge. That’s the only path that the Let’s Encrypt CA will need to connect to.


#8

Where can i find this path /.well-known/acme-challenge ?

And How can set it in vhost conf file, kindly find my vhost conf file

<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName A1xxxx.com
Redirect “/” “https://A1xxxx.com/
DocumentRoot /usr/local/A1
ErrorLog /usr/local/apache/logs/A1.com-error_log
CustomLog /usr/local/apache/logs/A1-access_log common

    <Proxy *>
        Order Allow,Deny
        Allow from all
        Options -MultiViews
        AuthType Basic
        AuthName "Authentication Required"
       AuthUserFile "/usr/local/A1/htpasswd.users"
        Require valid-user
    </Proxy>

    ProxyPass / http://localhost:5601/
    ProxyPassReverse /  http://localhost:5601/

#9

When using webroot and ProxyPass, you will need to alter your ProxyPass to exclude requests to /.well-known/acme-challenge/ from the proxying.

e.g. adding this line before your ProxyPass lines:

ProxyPass "/.well-known/acme-challenge" "!"

In your case, if you added the ProxyPass exclusion line as in the example, you should be able to then use

-a webroot -w /usr/local/A1

as the webroot in schoen’s example.

However, due to:

you may instead need to make this change in the HTTPS VirtualHost, I’m not sure, give it a shot.


#10

i have add the mentioned line in both ssl vhost and http vhost but i faced the below error during certbot command " certbot certonly -a webroot -w /usr/local/A1/ -d A1.xxxx.com "

[root@admin-server vhosts]# certbot certonly -a webroot -w /usr/local/A1/ -d A1.xxxx.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for A1.xxxx.com
Using the webroot path /usr/local/A1 for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ils.ibiidi.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://A1.xxxx.com/.well-known/acme-challenge/Xxl1kd57qKMqtWL77rZfyH2DrGpai4LgIreGIU5EUSc: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: A1.xxxx.com
   Type:   unauthorized
   Detail: Invalid response from
   http://A1.xxxx.com/.well-known/acme-challenge/Xxl1kd57qKMqtWL77rZfyH2DrGpai4LgIreGIU5EUSc:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

#11

Well, it’s hard to tell not knowing the domain, but an easy test is to create a test file:

echo "Hello" > /usr/local/A1/.well-known/acme-challenge/test.txt

and try to access it directly at http://A1.xxxx.com/.well-known/acme-challenge/test.txt .

If that doesn’t succeed, you’ll need to identify why (mismatched webroots? permissions error in Apache error_log? domain doesn’t point to this server? etc).


#12

still facing the same error :frowning:
if i removed haccess for while and created cert then set haccess again.
should i repeat the above steps during certificate renewal (i will automate renewal steps via cronjob)


#13

If .htaccess is preventing the request from succeeding, then you should just fix your .htaccess file to not interfere with those requests.

You can try put this at the top of any .htaccess file to avoid it interfering:

RewriteEngine On
RewriteRule ^.well-known - [L]

#14

after adding the above line in .htaccess, still facing same error

[root@admin-server amna]# certbot certonly --webroot -w /www/A1/ -d A1.xxxx.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for iiw.ibiidi.com
Using the webroot path /www/A1 for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. iiw.ibiidi.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://iiw.ibiidi.com/.well-known/acme-challenge/VVn8OgBTekd1KCa7eWBkIsAsRC3xWD3-2RF7jACV_ag: "

401 Unauthorized

Unauthorized</"

IMPORTANT NOTES:

My htaccess

RewriteEngine On
RewriteRule ^.well-known - [L]
AuthType Basic
AuthName “Restricted Content”
AuthUserFile /usr/local/apache/.htpasswd
#AuthUserFile /www/A1/.htpasswd
Require valid-user

My vhost conf file

<VirtualHost *:80>
ServerAlias A1.xxxx.com
ServerName A1.xxxx.com
DocumentRoot /www/A1
ErrorLog /usr/local/apache/logs/A1/error.log
CustomLog /usr/local/apache/logs/A1/acces.log common

<Directory /www/A1>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted

Also i have create this path and can access it via browser
http://A1.xxxx.com/.well-known/acme-challenge/test.txt


#15

Well, in this case, the basic auth introduced by your .htaccess file (duplicating the basic auth from the Proxy config) is preventing the validation request from succeeding.

You’ll need to exclude the /.well-known/acme-challenge URL from it.

Perhaps

can become

Require expr %{REQUEST_URI} =~ m#^/.well-known/acme-challenge/.*#
Require valid-user

#16

Thankx _az, the cert has been created successfully.


#17

Now i have tried to implement a second cert for another vhost, but i have faced unauthorized error

vhost conf:(this vhost doesn’t contain haccess but i have put http authentication in vhost conf file)

   <VirtualHost *:80>
            ServerAdmin webmaster@localhost
            ServerName  B1.xxxx.com
            DocumentRoot /usr/local/B1
            ErrorLog        /usr/local/apache/logs/B1/B1-error_log
            CustomLog       /usr/local/apache/logs/B1/B1-access_log common

            <Proxy *>
                Order Allow,Deny
                Allow from all
                Options -MultiViews
                AuthType Basic
                AuthName "Authentication Required"
               AuthUserFile "/usr/local/B1/htpasswd.users"
               Require expr %{REQUEST_URI} =~ m#^/.well-known/acme-challenge/.*#
                Require valid-user
            </Proxy>

            ProxyPass "/.well-known/acme-challenge" !
            ProxyPass / http://localhost:5601/
            ProxyPassReverse /  http://localhost:5601/

    </VirtualHost>

#18

any help, i’d to know how to solve this error :frowning: ?


#19

resolved after adding the below lines in vhost.conf file
so vhost.conf file

<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName B1.xxxx.com
DocumentRoot /usr/local/B1
ErrorLog /usr/local/apache/logs/B1/B1.com-error_log
CustomLog /usr/local/apache/logs/B1/B1-access_log common

Options FollowSymLinks AllowOverride None

<Directory /usr/local/B1>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted

RewriteEngine On
RewriteRule (^|/).(?!well-known) - [F]

    <Proxy *>
        Order Allow,Deny
        Allow from all
        Options -MultiViews
        AuthType Basic
        AuthName "Authentication Required"
       AuthUserFile "/usr/local/B1/htpasswd.users"
       Require expr %{REQUEST_URI} =~ m#^/.well-known/acme-challenge/.*#
        Require valid-user
    </Proxy>

    ProxyPass "/.well-known/acme-challenge" "!"
    ProxyPass / http://localhost:5601/
    ProxyPassReverse /  http//localhost:5601/