Hi
if i have purchased sign certificate for www.xxxx.com and want to issue certificate for A1.xxxx.com via letsencrypt, is this will affect my purchased one.
Thanks,
Amna
Hi
if i have purchased sign certificate for www.xxxx.com and want to issue certificate for A1.xxxx.com via letsencrypt, is this will affect my purchased one.
Thanks,
Amna
Hi @amna,
Issuing a Let's Encrypt certificate for A1.xxxx.com
will not affect any other certificates you have issued from Let's Encrypt, or purchased from another CA, for the www.xxxx.com
domain. The only thing to be aware of from the Let's Encrypt side are our rate limits.
Hope that helps!
In and of themselves, certificates donât conflict with each other.
However, some CAs choose to punish customers who get certificates from other CAs. You would have to read the fine print in your contract, or ask them, to confirm they wonât do anything shady.
Hi Cpu
Thanks alot for quick reply, sorry another question.
As per the mentioned link, the rate limit is 20 cert per week, right? so if i want to issue theses domains (A1.xxxx.com , B1.xxxx.com, C1.xxxx.com, D1.xxxx.com)
via this command (certbot --apache -d A1.xxxx.com -d B1.xxxx.com -d C1.xxxx.com -d D1.xxxx.com), these will consider one cert or 4 cert. (Note: www.xxxx.com â> purchased from another CA)
One certbot
command issues one certificate.
One certificate can include up to 100 names.
If you wanted to create 4 certs, you would have to run 4 commands, like "certbot --apache -d a1.xxxx.com
" and "certbot --apache -d b1.xxxx.com
" and so forth.
i have tried the below command to create cert but found the below error
certbot --apache -d A1.xxxx.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for A1.xxxx.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
this vhost already exist and i can access my website so whatâs wrong.
also i have tried a below command but not solve my issue
certbot --apache -a webroot -w /www/ -d A1.xxxx.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Too many flags setting configurators/installers/authenticators âwebrootâ -> âapacheâ
Actually i want to create (cert, key,chain) files then i will add then in vhost-ssl.conf file because my apache installation is complied not standard installation
another question : if my domain protected by http authentication, how to pass username/password in certbot command
I'm not sure, but I'm happy to investigate if you can post that virtual host configuration and also the Certbot log from /var/log/letsencrypt
.
--apache
contradicts -a webroot
because --apache
is a short version for -a apache -i apache
, so --apache -a webroot
means -a apache -i apache -a webroot
and Certbot doesn't know which authenticator plugin you want.
You probably want to leave off the --apache
option completely if you're using -a webroot
.
Try certbot certonly -a webroot -w /www -d A1.xxxx.com
You can't; you need to make an exception so that the HTTP authentication doesn't apply to /.well-known/acme-challenge
. That's the only path that the Let's Encrypt CA will need to connect to.
Where can i find this path /.well-known/acme-challenge ?
And How can set it in vhost conf file, kindly find my vhost conf file
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName A1xxxx.com
Redirect "/" "https://A1xxxx.com/"
DocumentRoot /usr/local/A1
ErrorLog /usr/local/apache/logs/A1.com-error_log
CustomLog /usr/local/apache/logs/A1-access_log common<Proxy *> Order Allow,Deny Allow from all Options -MultiViews AuthType Basic AuthName "Authentication Required" AuthUserFile "/usr/local/A1/htpasswd.users" Require valid-user </Proxy> ProxyPass / http://localhost:5601/ ProxyPassReverse / http://localhost:5601/
When using webroot and ProxyPass
, you will need to alter your ProxyPass
to exclude requests to /.well-known/acme-challenge/
from the proxying.
e.g. adding this line before your ProxyPass
lines:
ProxyPass "/.well-known/acme-challenge" "!"
In your case, if you added the ProxyPass
exclusion line as in the example, you should be able to then use
-a webroot -w /usr/local/A1
as the webroot in schoen's example.
However, due to:
you may instead need to make this change in the HTTPS VirtualHost, I'm not sure, give it a shot.
i have add the mentioned line in both ssl vhost and http vhost but i faced the below error during certbot command " certbot certonly -a webroot -w /usr/local/A1/ -d A1.xxxx.com "
[root@admin-server vhosts]# certbot certonly -a webroot -w /usr/local/A1/ -d A1.xxxx.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for A1.xxxx.com Using the webroot path /usr/local/A1 for all unmatched domains. Waiting for verification... Cleaning up challenges Failed authorization procedure. ils.ibiidi.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://A1.xxxx.com/.well-known/acme-challenge/Xxl1kd57qKMqtWL77rZfyH2DrGpai4LgIreGIU5EUSc: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p" IMPORTANT NOTES: - The following errors were reported by the server: Domain: A1.xxxx.com Type: unauthorized Detail: Invalid response from http://A1.xxxx.com/.well-known/acme-challenge/Xxl1kd57qKMqtWL77rZfyH2DrGpai4LgIreGIU5EUSc: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Well, itâs hard to tell not knowing the domain, but an easy test is to create a test file:
echo "Hello" > /usr/local/A1/.well-known/acme-challenge/test.txt
and try to access it directly at http://A1.xxxx.com/.well-known/acme-challenge/test.txt .
If that doesnât succeed, youâll need to identify why (mismatched webroots? permissions error in Apache error_log? domain doesnât point to this server? etc).
still facing the same error
if i removed haccess for while and created cert then set haccess again.
should i repeat the above steps during certificate renewal (i will automate renewal steps via cronjob)
If .htaccess
is preventing the request from succeeding, then you should just fix your .htaccess
file to not interfere with those requests.
You can try put this at the top of any .htaccess
file to avoid it interfering:
RewriteEngine On
RewriteRule ^.well-known - [L]
after adding the above line in .htaccess, still facing same error
[root@admin-server amna]# certbot certonly --webroot -w /www/A1/ -d A1.xxxx.com
401 Unauthorized
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for iiw.ibiidi.com
Using the webroot path /www/A1 for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. iiw.ibiidi.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://iiw.ibiidi.com/.well-known/acme-challenge/VVn8OgBTekd1KCa7eWBkIsAsRC3xWD3-2RF7jACV_ag: "Unauthorized</"
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: A1.xxxx.com
401 Unauthorized
Type: unauthorized
Detail: Invalid response from
http://A1.xxxx.com/.well-known/acme-challenge/VVn8OgBTekd1KCa7eWBkIsAsRC3xWD3-2RF7jACV_ag:
"Unauthorized</"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My htaccess
RewriteEngine On
RewriteRule ^.well-known - [L]
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /usr/local/apache/.htpasswd
#AuthUserFile /www/A1/.htpasswd
Require valid-user
My vhost conf file
<VirtualHost *:80>
ServerAlias A1.xxxx.com
ServerName A1.xxxx.com
DocumentRoot /www/A1
ErrorLog /usr/local/apache/logs/A1/error.log
CustomLog /usr/local/apache/logs/A1/acces.log common<Directory /www/A1>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
Also i have create this path and can access it via browser
http://A1.xxxx.com/.well-known/acme-challenge/test.txt
Well, in this case, the basic auth introduced by your .htaccess
file (duplicating the basic auth from the Proxy config) is preventing the validation request from succeeding.
You'll need to exclude the /.well-known/acme-challenge
URL from it.
Perhaps
can become
Require expr %{REQUEST_URI} =~ m#^/.well-known/acme-challenge/.*#
Require valid-user
Thankx _az, the cert has been created successfully.
Now i have tried to implement a second cert for another vhost, but i have faced unauthorized error
vhost conf:(this vhost doesn't contain haccess but i have put http authentication in vhost conf file)
<VirtualHost *:80> ServerAdmin webmaster@localhost ServerName B1.xxxx.com DocumentRoot /usr/local/B1 ErrorLog /usr/local/apache/logs/B1/B1-error_log CustomLog /usr/local/apache/logs/B1/B1-access_log common <Proxy *> Order Allow,Deny Allow from all Options -MultiViews AuthType Basic AuthName "Authentication Required" AuthUserFile "/usr/local/B1/htpasswd.users" Require expr %{REQUEST_URI} =~ m#^/.well-known/acme-challenge/.*# Require valid-user </Proxy> ProxyPass "/.well-known/acme-challenge" ! ProxyPass / http://localhost:5601/ ProxyPassReverse / http://localhost:5601/ </VirtualHost>
any help, iâd to know how to solve this error ?
resolved after adding the below lines in vhost.conf file
so vhost.conf file
<VirtualHost *:80>
Options FollowSymLinks AllowOverride None
ServerAdmin webmaster@localhost
ServerName B1.xxxx.com
DocumentRoot /usr/local/B1
ErrorLog /usr/local/apache/logs/B1/B1.com-error_log
CustomLog /usr/local/apache/logs/B1/B1-access_log common<Directory /usr/local/B1>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
RewriteEngine On
RewriteRule (^|/).(?!well-known) - [F]<Proxy *> Order Allow,Deny Allow from all Options -MultiViews AuthType Basic AuthName "Authentication Required" AuthUserFile "/usr/local/B1/htpasswd.users" Require expr %{REQUEST_URI} =~ m#^/.well-known/acme-challenge/.*# Require valid-user </Proxy> ProxyPass "/.well-known/acme-challenge" "!" ProxyPass / http://localhost:5601/ ProxyPassReverse / http//localhost:5601/
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.