Issuing for subdomain tries to issue for main domain as well and fails

Takios · July 8, 2019, 11:36am

I ran this command: acme.sh --issue -d mail2.takios.de --standalone --listen-v6 --test

It produced this output:
[Mo 8. Jul 13:26:45 CEST 2019] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Mo 8. Jul 13:26:45 CEST 2019] Standalone mode.
[Mo 8. Jul 13:26:46 CEST 2019] Single domain=‘mail2.takios.de’
[Mo 8. Jul 13:26:46 CEST 2019] Getting domain auth token for each domain
[Mo 8. Jul 13:26:47 CEST 2019] Getting webroot for domain=‘mail2.takios.de’
[Mo 8. Jul 13:26:47 CEST 2019] Verifying: mail2.takios.de
[Mo 8. Jul 13:26:47 CEST 2019] Standalone mode server
[Mo 8. Jul 13:26:50 CEST 2019] Pending
[Mo 8. Jul 13:26:53 CEST 2019] Pending
[Mo 8. Jul 13:26:55 CEST 2019] Pending
[Mo 8. Jul 13:26:57 CEST 2019] Pending
[Mo 8. Jul 13:27:00 CEST 2019] Pending
[Mo 8. Jul 13:27:02 CEST 2019] mail2.takios.de:Verify error:Fetching https://takios.de/.well-known/acme-challenge/UwzP8_kX9BfZdDpec9Ya8cA7YOSSiHhTsvuK2t4JFTg: Connection refused

My web server is (include version): acme.sh 2.8.1 (standalone)

The operating system my web server runs on is (include version): openSUSE Leap 15.0

My hosting provider, if applicable, is: None

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): acme.sh 2.8.1

Hello,

I cannot issue a certificate for my domain mail2.takios.de. But it seems that Let’s Encrypt wants to add takios.de to the cert as well, as seen in the challenge: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/1097472/kuyZPQ. Since the server behind takios.de is a different one than mail2.takios.de, this fails. Is it possible to deactivate this behaviour? I don’t need the main domain on my mail certificate.

Greetings
Takios

JuergenAuer · July 8, 2019, 12:58pm

Hi @Takios

your configuration is wrong.

No, that’s not the problem.

You have ipv4- and ipv6 - addresses ( https://check-your-website.server-daten.de/?q=mail2.takios.de ):

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
mail2.takios.de	A	5.9.116.163 Falkenstein/Bavaria/Germany (DE) - Hetzner Hostname: mail2.takios.de	yes	1	0
	AAAA	2a01:4f8:162:61a4::15c Bückeburg/Lower Saxony/Germany (DE) - Hetzner	yes

And your ipv4 redirects to your main domain

Domainname	Http-Status	redirect	Sec.	G
• http://mail2.takios.de/
5.9.116.163	301	https://takios.de/	0.046	E

• http://mail2.takios.de/
2a01:4f8:162:61a4::15c	-14		10.027	T

your ipv6 has a timeout.

Same with /.well-known/acme-challenge/random-filename:

|| • http://mail2.takios.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
5.9.116.163| 301| https://takios.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de| 0.047| E|Visible Content: Moved Permanently The document has moved here .
|| • http://mail2.takios.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a01:4f8:162:61a4::15c -14| 10.030| T Timeout - The operation has timed out|
Visible Content:

Letsencrypt follows such redirects.

So remove that redirect and fix your ipv6. Normally, Letsencrypt prefers ipv6

Following redirects doesn’t add the main domain to the certificate.

Takios · July 8, 2019, 2:35pm

Thanks for the answer! The configuration itself was not wrong (there’s NAT going on for IPv4…) but there was a firewall that decided to block port 80 to the mailserver. I created an allow rule and issuing works again.

system · August 7, 2019, 2:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.