Letsencrypt activate HTTPS

Hi,

My domain is: conceptys-france.com & hygiene-bucco-dentaire.com (both are under my supervision)

I ran this command:letsencrypt

It produced this output:

root@mail:~# letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mail.conceptys-france.com
2: subdomainXX.hygiene-bucco-dentaire.com
3: subdomainXX.hygiene-bucco-dentaire.com
4: subdomainXX.hygiene-bucco-dentaire.com
5: subdomainXX.hygiene-bucco-dentaire.com
6: subdomainXX.hygiene-bucco-dentaire.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

My web server is (include version): nginx 1.14
The operating system my web server runs on is (include version): 18.04
My hosting provider, if applicable, is:OVH
I can login to a root shell on my machine : yes
I'm using a control panel to manage my site : no

The version of my client is: certbot is 1.1.0 and letsencrypt is 0.31.0


Ok so basically it worked for all "subdomainXX" but not the "mail.conceptys-france.com"

The "mail.conceptys-france.com" was previously rooted on the ip of the server, but now I want they to be independant... not sure what do to on the "letsencrypt" side and on the "root subdomain" side...

1 Like

'letsencrypt' is a very, VERY old name for the certbot client: they are identical except for version. So this is kinda weird to have two versions of the same client installed.

Unfortunately, you haven't shared the actual output of certbot after the selection of the domains..

I don't understand you quite. You mean the mail subdomain is now pointing to a different IP address? Can you run certbot from that other server? That would be the most logical choice I think.

1 Like

'letsencrypt' is a very, VERY old name for the certbot client: they are identical except for version. So this is kinda weird to have two versions of the same client installed.

Didn't knew that. It's me who Installed certbot via package. Had to go on after the last admin leave without giving me indication

Unfortunately, you haven't shared the actual output of certbot after the selection of the domains..

You're right, but I think there will be no surprise here on the error it will regenerate :

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Attempting to parse the version 1.1.0 renewal configuration file found at /etc/letsencrypt/renewal/hygiene-bucco-dentaire.com.conf with version 0.31.0 of Certbot. This might not work.
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.conceptys-france.com
Using default address 80 for authentication.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mail.conceptys-france.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://mail.conceptys-france.com/.well-known/acme-challenge/OSSOEe03CB-cWHpnSPgjwmE3bX8cWeJhe1sqFKi3KGo [51.178.85.219]: "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mail.conceptys-france.com
   Type:   unauthorized
   Detail: Invalid response from
   https://mail.conceptys-france.com/.well-known/acme-challenge/OSSOEe03CB-cWHpnSPgjwmE3bX8cWeJhe1sqFKi3KGo
   [51.178.85.219]: "<html>\r\n<head><title>403
   Forbidden</title></head>\r\n<body>\r\n<center><h1>403
   Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I don't understand you quite. You mean the mail subdomain is now pointing to a different IP address? Can you run certbot from that other server? That would be the most logical choice I think.

Yes, I repointed the DNS because I wanted both server to be independant. And I wanted to see if the Conceptys-france.com has it's own SMTP (seems not to be the case)

Certbot-auto has been run yesterday on that server already.

What I don't understand is where is stored the parameters "conceptys-france.com". Probably in a config file, but no idea where exactly...

Certbot takes the domains from the previously issued certificate. See the certbot documentation about modifing the domains of a certificate: https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains

3 Likes