More renew problems, multiple secure domains problem


#1

Hi,

Trying to get a new set of certs for my domain, and theres a conflict in how it’s verifying i think…

My server has a couple domains on it, all running letsencrypt certs, it looks like the verification process here is asking for default 443, and getting the cert from a different domain…

./letsencrypt-auto certonly --standalone --email bill@bigmojo.net -d dead-drop.me -d www.dead-drop.me

Then I see the couple accounts on my issuing machine, choose one, and get this

Failed authorization procedure. www.dead-drop.me (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found 'www.bigmojo.net', dead-drop.me (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found 'www.bigmojo.net'

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.dead-drop.me
   Type:   unauthorized
   Detail: Correct zName not found for TLS SNI challenge. Found
   'www.bigmojo.net'

So, not sure, is it not using SNI to check the server? I suppose i could get around this by shutting down bigmojo, or changing the default 443 site… but seems it shouldl be solvable,


#2

The standalone runs its own webserver so you normally need to stop your existing one. The webroot method may be more suitable for your case.


#3

I’m not running this on the production server, i’m running it on a dev box, to generate the certs which I’ll move to the prod server.

I did stop the web server on the dev box though.

I shouldn’t have to take the site down to get a new cert though , surely…


#4

If your doing it on another box then the domains need to be pointing at that server (allowing time for DNS propagation). To do it without disruption you need to either use the DNS challenge, run it on the production server or have the production server proxy requests in /.well-known/acme-challenge/ to the dev server (using http challenge).


#5

Hm,

This is how i got the certs in the first place though, that’s what the standalone option is for isn’t it?


#6

Standalone is more for domains that don’t have an existing webserver to serve challenge files from, webroot is the best option for existing webservers that aren’t Apache on Debian (or derivatives).


#7

Yep @monsters_x, standalone is for running without an existing webserver.


#8

Sorry guys, checked my docs and see that i used this

./letsencrypt-auto certonly -a manual -d dead-drop.me

which still works fine. success!