Multiple Virtual SSL Hosts on one IP Route 53

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vellitas.com

I ran this command: sudo certbot --apache -d vellitas.com -d www.vellitas.com

It produced this output:
(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.vellitas.com
Waiting for verification…
Challenge failed for domain www.vellitas.com
http-01 challenge for www.vellitas.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

My web server is (include version): httpd-2.4.41-1.amzn2.0.1.x86_64

The operating system my web server runs on is (include version): Amazon Linux release 2 (Karoo)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

I have two domains that I want to run on 1 IP address using Amazon Linux 2 with Apache 2.4.41-1. I am using Route 53. I can get waylanchiles.com to work successfully with Certbot. I get the above error when working with vellitas.com. I have looked at the A record in Route 53 for vellitas.com and it looks to be setup properly. The A record is using the same IP address for bothe vellitas.com and waylandchiles.com.

1 Like

It seems that the nameservers you have pointed your domain to, are not the same ones that Route53 is telling you to use.

According to your domain registration, you have pointed the domain to:

ns-1056.awsdns-04.org
ns-1981.awsdns-55.co.uk
ns-259.awsdns-32.com
ns-743.awsdns-28.net

However, according to Route53, these are the nameservers you should have set:

ns-1120.awsdns-12.org.
ns-1627.awsdns-11.co.uk.
ns-502.awsdns-62.com.
ns-592.awsdns-10.net.

I suspect that, even though it appears to work on the surface, the mismatch is causing Let’s Encrypt’s DNS resolvers to fail the lookup.

waylandchiles.com, which you report as not having any problems, has its nameservers correctly configured. Each Route53 domain is assigned to a different set of nameservers - don’t just copy paste the same ones for each domain.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.