Multiple domains from same IP returns zName error


#1

Hi there,

I have used the letsencrypt client to successfully acquire a certificate for one of my domains.

I done this using:
letsencrypt-auto certonly --standalone -d domain1.com -d www.domain1.com

I also have another site hosted on the same server and same public IP. Both have A records defined, to the same public IP.

When I run the same command for domain2:
letsencrypt-auto certonly --standalone -d domain2.com -d www.domain2.com

I get the very popular and confusing error:
The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found 'domain1.com www.domain1.com'

If it could be explained how the Lets Encrypt servers figure out the ‘Correct zName’ that would be cool

The only thing I can think of is that they store the first domain names used to request certificates, and only allow further requests to use those domain names.

Thanks,
Chris


#2

Original post was edited by the poster to instead run a different command (!). My reply here no longer makes sense.


#3

Hi tialarmex,

The ‘standalone’ plugin loads a simple web server on the host it is ran on. And the -d flag is what specifies where it is.

With DNS correctly configured, the remote (LetsEncrypt) server should be able to reach requesting web server.

As I mentioned in my first comment, I wish to know why LetsEncrypt won’t let 2 domains request certificates from the same server, as it seems it uses its own way of mapping the requesting IP to an address (Possibly just holding the information from the first time a certificate was requested) instead of using DNS.

Also, that is the whole error output.


#4

--webroot uses HTTP-01 (as opposed to TLS-SNI-01, from your error message), and doesn’t spawn a web server, but rather puts verification files in the webroot of a pre-existing web server on your system. Take a look at the documentation for more details.

What you’re describing is --standalone, which is documented here and would spawn a web server and (possibly) use TLS-SNI-01.

I’m not sure why you’re seeing this behaviour - --webroot should never fail with a TLS-SNI-01-specific error message. Can you repeat the process, add -vvvvv to your command and provide the full output and logs from /var/log/letsencrypt?


#5

I apologize … I meant to say the --standalone plugin

I’ll edit my post so it makes more sense


#6

Logs and -vvvvv would probably still help. --standalone in TLS-SNI-01 mode requires that the client is able to bind to port 443 and is terminating SSL. The fact that connecting to the second domain shows a certificate for the first domain indicates that there’s either an existing web server running on port 443 while you’re doing this, or that you’re not on the host that’s terminating SSL (i.e. there’s a CDN, reverse proxy, load balancer, etc. between that host and Let’s Encrypt’s verification server).


#7

Oooooo … Forgot this one was behind a proxy …

Sorted it now (Ran it on the proxy server) :thumbsup:

Thanks


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.