Trying to get a new set of certs for my domain, and theres a conflict in how it’s verifying i think…
My server has a couple domains on it, all running letsencrypt certs, it looks like the verification process here is asking for default 443, and getting the cert from a different domain…
Then I see the couple accounts on my issuing machine, choose one, and get this
Failed authorization procedure. www.dead-drop.me (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found 'www.bigmojo.net', dead-drop.me (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found 'www.bigmojo.net'
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.dead-drop.me
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
'www.bigmojo.net'
So, not sure, is it not using SNI to check the server? I suppose i could get around this by shutting down bigmojo, or changing the default 443 site… but seems it shouldl be solvable,
If your doing it on another box then the domains need to be pointing at that server (allowing time for DNS propagation). To do it without disruption you need to either use the DNS challenge, run it on the production server or have the production server proxy requests in /.well-known/acme-challenge/ to the dev server (using http challenge).
Standalone is more for domains that don’t have an existing webserver to serve challenge files from, webroot is the best option for existing webservers that aren’t Apache on Debian (or derivatives).