LetsEncrypt Standalone Not Used Correctly - TLS Challenge Instead of HTTP Challenge


#1

Please fill out the fields below so we can help you better.

My domain is: simaj.net

I ran this command: ./letsencrypt-auto certonly --standalone
After installing https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04 (though it was on 16.04)

It produced this output:

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel):blog.simaj.net img.simaj.net cloud.simaj.net icinga.simaj.net
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for blog.simaj.net
tls-sni-01 challenge for img.simaj.net
tls-sni-01 challenge for cloud.simaj.net
tls-sni-01 challenge for icinga.simaj.net
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. blog.simaj.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested db8e66ae1b7a46f8d76a882866bd29ae.4283831be3dbb92098fb4ee5f5472264.acme.invalid from 62.251.42.129:443. Received 1 certificate(s), first certificate had names “.simaj.net", cloud.simaj.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested f031f926eb442baf00467a4ba467d105.1b0c58e8dc9a00f77b54546967c90019.acme.invalid from 62.251.42.129:443. Received 1 certificate(s), first certificate had names ".simaj.net”, icinga.simaj.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 08bfc8e8860d9f427e59f359ebea2e60.9621171cc4aea6895f7308a6fc5e0f7d.acme.invalid from 62.251.42.129:443. Received 1 certificate(s), first certificate had names “.simaj.net", img.simaj.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 815f515b9d3e539baf193c6d8c0e9f9d.86d884c6c3110bedf26a49c6b7b0d5ef.acme.invalid from 62.251.42.129:443. Received 1 certificate(s), first certificate had names ".simaj.net”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: blog.simaj.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    db8e66ae1b7a46f8d76a882866bd29ae.4283831be3dbb92098fb4ee5f5472264.acme.invalid
    from 62.251.42.129:443. Received 1 certificate(s), first
    certificate had names “*.simaj.net”

    Domain: cloud.simaj.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    f031f926eb442baf00467a4ba467d105.1b0c58e8dc9a00f77b54546967c90019.acme.invalid
    from 62.251.42.129:443. Received 1 certificate(s), first
    certificate had names “*.simaj.net”

    Domain: icinga.simaj.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    08bfc8e8860d9f427e59f359ebea2e60.9621171cc4aea6895f7308a6fc5e0f7d.acme.invalid
    from 62.251.42.129:443. Received 1 certificate(s), first
    certificate had names “*.simaj.net”

    Domain: img.simaj.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    815f515b9d3e539baf193c6d8c0e9f9d.86d884c6c3110bedf26a49c6b7b0d5ef.acme.invalid
    from 62.251.42.129:443. Received 1 certificate(s), first
    certificate had names “*.simaj.net”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My operating system is (include version):
ubuntu 16.04

My web server is (include version):
haproxy

My hosting provider, if applicable, is:
me

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): n/a


#2

Hi,

Seeing this error with standalone suggests that you have an existing web server running that you didn’t shut down. standalone is meant for systems that have no web server running, or where you can shut down the web server temporarily during the certificate validation process.

However, I’m confused that you got this error in this situation rather than another error (about the inability to bind port 443).

The tutorial that you followed is wrong to assume that standalone will always use port 80. In fact, standalone prefers to use port 443 unless you specify otherwise. But if you do have port 80 available and not in use by other software on your server, you can try adding the option --preferred-challenges http-01 to your command line to specify that you would like to use port 80 instead of port 443 to authenticate your control over the domain name.


#3

Thanks @schoen, I’ll try again soon.
My setup is a bit weird, due to being behind a router with port forwarding. I think this can be explained by port 80 ending up at the haproxy server where I want to have the certs, but 443 was still forwarded to my older pound reverse proxy setup…

I guess this might even have gone right if both port 80 and port 443 were forwarded to the new haproxy host.

However, I figure I may need to look a bit more carefully at the setup, as I want to be able to renew the certs without manual interaction…

Cheers

Simon


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.