Newbie problem generating cert


#1

Hello,

I got into the beta and got a confirmation that my whitelisted domains are:

But when I run:
./letsencrypt-auto certonly

I get the following response:

“”"
Failed authorization procedure.
www.addsapp.se (tls-sni-01): urn:acme:error:unauthorized :: The
client lacks sufficient authorization :: Correct zName not found for TLS
SNI challenge. Found ‘’, addsapp.se (tls-sni-01):
urn:acme:error:unauthorized :: The client lacks sufficient authorization
:: Correct zName not found for TLS SNI challenge. Found ''
IMPORTANT NOTES:

  • If you lose your account credentials, you can recover through
    e-mails sent to
    pere5@kth.se.
  • The following errors were reported by the server:
    Domain:
    www.addsapp.se
    Type: unauthorized
    Detail: Correct zName not found for TLS SNI challenge. Found ''
    Domain: addsapp.se
    Type: unauthorized
    Detail: Correct zName not found for TLS SNI challenge. Found ''
    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.
  • Your account credentials have been saved in your Let’s Encrypt
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Let’s
    Encrypt so making regular backups of this folder is ideal.
    """

What am I supposed to do to fix this?


#2

I believe this is caused by the TLS server which is serving a certificate for www.addsapp.com. The certificate has no subjectAltNames so the requested domain name won’t match. You need to add www.addsapp.se to the subjectAltNames list.

Or use e.g. the webroot method for authentication instead.


#3

I updated my self signed cert (with my server URL stated below) to include a subjectAltNames. But I still get an error:

./letsencrypt-auto certonly --standalone -d "www.addsapp.com"
Checking for new version…
Requesting root privileges to run letsencrypt…
sudo /Users/pere5/.local/share/letsencrypt/bin/letsencrypt certonly --standalone -d www.addsapp.com
Password:
Failed authorization procedure. www.addsapp.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘www.addsapp.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: "www.addsapp.com"
    Type: unauthorized
    Detail: Correct zName not found for TLS SNI challenge. Found
    www.addsapp.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.


#4

The command should be

./letsencrypt-auto certonly --standalone -d www.addsapp.com

not

./letsencrypt-auto certonly --standalone -d “www.addsapp.com


#5

Also, with standalone, the LE client will serve as server… Nd it would be very strange if the official client produces this error. So it looks to me like something else is listening on port 443 in stead of the LE client… Perhaps you’re running the client on another machine?


#6

Yes, you may have an easier time using the webroot authenticator if you have an existing running webserver.


#7

The problem here is that I have no good step by step manual on how to do this. I have a production server which I want to have a certified certificate. How do I do this? I have tried every combination of commands I could find but all get different errors. I truly feel like there are things that are implicitly understood that every server admin here takes for granted, but that is not explained for newbies!

Do you have a step by step manual lying around somewhere?

For example nowhere does it say that you need an own certificate and server to start the process, that is implicitly understood! I’m not even sure that that is correct. What is step one in this process!?

Also, I didn’t have quotation marks around “www.addsapp.com”, that was only because this forum only allows two links per post for some reason.


#8

You don’t need your own certificate and you don’t need a web server already running.

But when there’s already a web server running, which appears to be the case, it’s probably easiest to use the webroot method. http://letsencrypt.readthedocs.org/en/latest/using.html#webroot

./letsencrypt-auto certonly --webroot -w /var/www/addsapp.com/ -d www.addsapp.com -d addsapp.com

Obviously replace /var/www/addsapp.com with the root directory for your domain. And that should be the only command needed. When successful, add the certificate to your web server configuration.


#9

I’m running a Spring Boot Tomcat JAR as my webserver so --webroot don’t seem to be applicable in my case (since I can’t simply add support for /.well-known/… and map that to a directory). But here is an implicit detail i found:

http://letsencrypt.readthedocs.org/en/latest/using.html#manual “If you’d like to obtain a cert running letsencrypt on a machine other than your target webserver[…]”

It wasn’t obvious that I need to run my ./letsencrypt-auto … commands on my actual production server. I’ve been running things on my local machine. Is that the problem? (Can’t validate until I get home tonight)


#10

It’s not fully necessary to run the client on the actual production server. It depends on the chosen authenticator:

  • The apache/nginx authenticator obviously needs Apache resp. nginx, so it should run on the actual production server;
  • The webroot authenticator needs access to the webroot(s) of the specified domains. This doesn’t have to be the actual production server: if you’ve got your webroot mapped through, for example, a NFS drive connected via a VPN on your local machine (or SSHFS, or insert other encrypted remote file system), so you can reach your webroot from there, all should be fine. Obviously, the issued certificated will end up on your local machine… But your server needs it… So this should only be used (in my opinion) if you can’t run the client on the actual server;
  • The standalone should be run on the actual production server, as this functions as a temporary server on port 80 or 443 itself… You might run the standalone plugin somewhere else if you, for example, proxy every request for /.well-known/acme-challenge/* to the host running the client… Not the most frequently encoutered setup I think;
  • The manual plugin can be used from every host of your choosing: it’s all up to the user to, somehow, manually put the requested token in the requested filename under the /.well-known/acme-challenge/ directory in the requested webroot. So it doesn’t matter if you’re using FTP(S), morse code, or whatever: as long as the challenge is in the right place at the right time (I think there’s a time out…), you’re fine…

#11

I did it!! Thank you @Osiris for the response! I knew I was beeing truly noobish. But each step wan’t clear to me. I used ./letsencrypt-auto certonly --standalone on my prod server. The final problem I had was that i had iptables redirects from 80 and 443 to other ports on prod. I removed them and now I have my certs:

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/www.addsapp.com/fullchain.pem. Your cert will
    expire on 2016-06-01. To obtain a new version of the certificate in
    the future, simply run Let’s Encrypt again.

  • If you like Let’s Encrypt, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le