jmorahan, that was in January, surely fixed by now.
Trying this in certonly mode. Huh? âPage Not Foundâ? mail.quantum-equities.com wouldnât have a webroot. But I need it in the SAM.
certbot certonly -d quantum-equities.com,www.quantum-equities.com,mail.quantum-equities.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apachectl configtest.
AH00526: Syntax error on line 13 of /etc/httpd/conf.d/bills-vhosts.conf:
SSLCertificateFile: file â/etc/pki/tls/certs/quantum-equities.com.crtâ does not exist or is empty
How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin - Beta (apache) [Misconfigured]
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
Select the appropriate number [1-3] then [enter] (press âcâ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for quantum-equities.com
http-01 challenge for www.quantum-equities.com
http-01 challenge for mail.quantum-equities.com
Select the webroot for quantum-equities.com:
1: Enter a new webroot
Press 1 [enter] to confirm the selection (press âcâ to cancel): 1
Input the webroot for quantum-equities.com: (Enter âcâ to cancel): /srv/QE
Select the webroot for www.quantum-equities.com:
1: Enter a new webroot
2: /srv/QE
Select the appropriate number [1-2] then [enter] (press âcâ to cancel): 2
Select the webroot for mail.quantum-equities.com:
1: Enter a new webroot
2: /srv/QE
Select the appropriate number [1-2] then [enter] (press âcâ to cancel): 2
Waiting for verificationâŚ
Cleaning up challenges
Failed authorization procedure. mail.quantum-equities.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.quantum-equities.com/.well-known/acme-challenge/DTaUuTuAPm9H-pbL5pnx-8M0SrKfdZXySksdgVxTk9M: "
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: mail.quantum-equities.com
Page Not Found - Quantum Equities, LLC</tit"
Type: unauthorized
Detail: Invalid response from
http://mail.quantum-equities.com/.well-known/acme-challenge/DTaUuTuAPm9H-pbL5pnx-8M0SrKfdZXySksdgVxTk9M:
"Domain: www.quantum-equities.com
Page Not Found - Quantum Equities, LLC</tit"
Type: unauthorized
Detail: Invalid response from
http://www.quantum-equities.com/.well-known/acme-challenge/kL9N2LlfdvbIGk7hdqz3M_m5XnkdwPNoQCr3AlV2zjk:
"Domain: quantum-equities.com
Page Not Found - Quantum Equities, LLC</tit"
Type: unauthorized
Detail: Invalid response from
http://quantum-equities.com/.well-known/acme-challenge/qRu75ddAPyfcHML5QyXxsz9hEP23Va3ye0OTc7_1qfo:
"To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Ok now I think Iâm down to it. I donât have an initial cert, so I have to use certonly. certbot trips over itself for options 1 and 3 (Apache Web Server plugin - Beta (apache) [Misconfigured] and Place files in webroot directory [webroot] resp), so it has to be Option 2 (Spin up a temporary webserver [standalone]). But FIRST stop Apache.
certbot certonly -d quantum-equities.com,www.quantum-equitiesDOTcom,mail.quantum-equities.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apachectl configtest.
AH00526: Syntax error on line 13 of /etc/httpd/conf.d/bills-vhosts.conf:
SSLCertificateFile: file â/etc/pki/tls/certs/quantum-equitiesDOTcom.crtâ does not exist or is empty
How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin - Beta (apache) [Misconfigured]
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
Select the appropriate number [1-3] then [enter] (press âcâ to cancel): 2
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencryptDOTorg
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for quantum-equitiesDOTcom
tls-sni-01 challenge for www.quantum-equitiesDOTcom
tls-sni-01 challenge for mail.quantum-equitiesDOTcom
Waiting for verificationâŚ
Cleaning up challenges
Failed authorization procedure. www.quantum-equitiesDOTcom (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 0ef3bdd4580190baea718874d38caf60.8466075aed7b53b8b715e57d0a8a02d7.acme.invalid from 199.127.58.3:443. Received 1 certificate(s), first certificate had names âctcouponDOTcom, mail.ctcouponDOTcom, www.ctcouponDOTcomâ, quantum-equitiesDOTcom (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested d6083418882a3288b96e8023c8c23f51.14882649067a53ec8a92c89346502c43.acme.invalid from 199.127.58.3:443. Received 1 certificate(s), first certificate had names âctcoupon.com, mail.ctcoupon.com, www.ctcoupon.comâ, mail.quantum-equities.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 06145c4fbe44719f606dc9f48aa6fe4d.188bb0357db557a2c0f865ca03752e96.acme.invalid from 199.127.58.3:443. Received 1 certificate(s), first certificate had names âctcoupon.com, mail.ctcoupon.com, www.ctcoupon.comâ
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: www.quantum-equities.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
0ef3bdd4580190baea718874d38caf60.8466075aed7b53b8b715e57d0a8a02d7.acme.invalid
from 199.127.58.3:443. Received 1 certificate(s), first certificate
had names âctcoupon.com, mail.ctcoupon.com, www.ctcoupon.comâDomain: quantum-equitiesDOTcom
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
d6083418882a3288b96e8023c8c
Domain: quantum-equitiesDOTcom
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
d6083418882a3288b96e8023c8c23f51.14882649067a53ec8a92c89346502c43.acme.invalid
from 199.127.58.3:443. Received 1 certificate(s), first certificate
had names âctcouponDOTcom, mail.ctcouponDOTcom, www.ctcouponDOTcomâDomain: mail.quantum-equitiesDOTcom
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
06145c4fbe44719f606dc9f48aa6fe4d.188bb0357db557a2c0f865ca03752e96.acme.invalid
from 199.127.58.3:443. Received 1 certificate(s), first certificate
had names âctcouponDOTcom, mail.ctcouponDOTcom, www.ctcouponDOTcomâTo fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.23f51.14882649067a53ec8a92c89346502c43.acme.invalid
from 199.127.58.3:443. Received 1 certificate(s), first certificate
had names âctcoupon.com, mail.ctcoupon.com, www.ctcoupon.comâDomain: mail.quantum-equitiesDOTcom
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
06145c4fbe44719f606dc9f48aa6fe4d.188bb0357db557a2c0f865ca03752e96.acme.invalid
from 199.127.58.3:443. Received 1 certificate(s), first certificate
had names âctcoupon.com, mail.ctcoupon.com, www.ctcouponDOTcomâTo fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
This seems alot like my registrar is returning a âctcouponâ domain response to the cert query. This wouldnât surprise me as they are a mess. But Iâve been waiting a week to get transferred away from them, and they are just not releasing me.
What can I do?
Hmm.
It looks like your host is directing traffic to their different customers based on TLS SNI information. If thatâs true then the TLS-SNI-01 challenge (used by the --apache
plugin, and the default for --standalone
) wonât work. You can tell the --standalone
plugin to use a different challenge by specifying --preferred-challenges http
so that might be worth a try.
The webroot method might also work if you fix your Apache configuration first (by commenting out the broken SSL directives again). You would need to add a VirtualHost with a DocumentRoot for the mail subdomain (or add it as a ServerAlias to one of the existing ones).
First attempt:
mail.quantum-equities.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apachectl configtest.
AH00526: Syntax error on line 14 of /etc/httpd/conf.d/bills-vhosts.conf:
SSLCertificateFile: file â/etc/pki/tls/certs/quantum-equities.com.crtâ does not exist or is empty
How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin - Beta (apache) [Misconfigured]
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
Select the appropriate number [1-3] then [enter] (press âcâ to cancel): 2
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for quantum-equities.com
http-01 challenge for www.quantum-equities.com
http-01 challenge for mail.quantum-equities.com
Waiting for verificationâŚ
Cleaning up challenges
Failed authorization procedure. www.quantum-equities.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.quantum-equities.com/.well-known/acme-challenge/v0klws4ZWsgaULJMh0kdIAc24sgt_hMM6Jvk6Pt7mjw: "
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: www.quantum-equities.com
Page Not Found - Quantum Equities, LLC</tit"
Type: unauthorized
Detail: Invalid response from
http://www.quantum-equities.com/.well-known/acme-challenge/v0klws4ZWsgaULJMh0kdIAc24sgt_hMM6Jvk6Pt7mjw:
"Domain: mail.quantum-equities.com
Page Not Found - Quantum Equities, LLC</tit"
Type: unauthorized
Detail: Invalid response from
http://mail.quantum-equities.com/.well-known/acme-challenge/8Tf1rFAc9iKEl93F7CEQua0nJ2DEPE1M2vF6whq-vhw:
"Domain: quantum-equities.com
Page Not Found - Quantum Equities, LLC</tit"
Type: unauthorized
Detail: Invalid response from
http://quantum-equities.com/.well-known/acme-challenge/e-7LS1n_DKPH_ebio0HtCpaprgg-t2AQiy6faPE3u8A:
"To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
############################################################
Second method (aka âIâm deadâ):
certbot certonly --preferred-challenges http -d quantum-equities.com,www.quantum-equities.com,mail.quantum-equities.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
Select the appropriate number [1-3] then [enter] (press âcâ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new authz :: Too many failed authorizations recently.
Please see the logfiles in /var/log/letsencrypt for more details.
That is very strange indeed. You are definitely running certbot on the server, right? The only thing I can think of that might explain that, is if your host has some sort of reverse proxy thatâs detecting when your Apache server isnât running, and serving some sort of magic 404 page.
Even in that case, the webroot method should work⌠in theory (though thereâs clearly some unknown variable in play here, so Iâm hesitant to guarantee anything!) Itâs not working right now because youâve hit a rate limit, but that particular rate limit expires after an hour so you can try again soon. Or you could temporarily use the --staging
server if you want to experiment while you wait.
Oh this is a little alarming. Can I just get my certs manually somehow?
Certainly am running only on the server (through SSH). There is nothing that could be snagging an 80 or 443 call:
listen
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 691 chrony 1u IPv4 17245 0t0 UDP 127.0.0.1:323
chronyd 691 chrony 2u IPv6 17246 0t0 UDP [::1]:323
sshd 1079 root 3u IPv4 18837 0t0 TCP *:8734 (LISTEN)
sshd 1079 root 4u IPv4 18845 0t0 TCP *:22 (LISTEN)
master 1425 root 13u IPv4 19779 0t0 TCP 127.0.0.1:25 (LISTEN)
master 1425 root 17u IPv4 19782 0t0 TCP 127.0.0.1:587 (LISTEN)
sshd 25998 root 5u IPv4 1922867 0t0 TCP 10.1.1.30:22->192.168.111.2:8452 (ESTABLI
SHED)
sshd 26062 root 5u IPv4 1935090 0t0 TCP 10.1.1.30:22->192.168.111.2:9092 (ESTABLI
SHED)
Well, I can still connect to (www.)quantum-equities.com over both HTTP and HTTPSâŚ
As for a âmanualâ method, certbot has a --manual
option, and thereâs https://zerossl.com/ - either way you would have to renew manually at least every 90 days, but if youâre switching hosts, you might have done so by then, and maybe youâll have better luck setting up something more automated on your new host.
Ugh, --manual wants me to create a file on my old hoster. Theyâve collapsed and I donât have access to the files. This is why as I say, Iâm changing hosting to my own VM. (and registrar due to broken DNSSEC, but that transfer is hung up)
This issue is stopping me from setting up my mail servers as I want them to use TLS (and the instructions Iâm following require it), and I havenât done this before so donât know from SSL-TLS certificate to chain cert. If I knew what kind of files Iâd end up with (.pem/.p12/.key/.cert) Iâd have an idea how to fake it.
But maybe this is all hopeless and I just need to find another shared hoster, who will collapse like all the other cheapies have. Iâve spent over three weeks on this email service effort â how much time is reasonable? I really should be job-hunting
Ooooookay.... hang on.
Is your DNS still pointing at your old host, while you're running certbot on the new one?
That would explain all your problems!
If you have no access to the old host at all, the only option that will work is the DNS challenge, but even that might not work if you have broken DNSSEC. If you want to try it anyway, you can use --preferred-challenges dns
with the --manual
plugin, or select the "DNS verification" option on ZeroSSL.
EDIT: if you do this, remember to wait for the 1-hour rate limit to expire first!
Otherwise you'll just have to wait until after you've pointed the DNS at your new server.
When certbot works, you will get .pem files. I believe the same is true of ZeroSSL.
Yes. Ok no wonder. Mentioned that further up but admittedly it's a haystack.
Ok that helps. Is it one .pem for the three -d domains? (quantum-equities.com, www.quantum-equities.com, mail.quantum-equities.com) Or two, or three?
If so, do they contain? The Intermediate, private, and cert?
And for use with Postfix wouldn't I extract the .key and .crt? Also the Intermidiate? What should the intermediate be named? Would I concatenate the Intermediate to the .key?
Youâll get a set of 4 files for each certificate you obtain (ie. each time you successfully run certbot): a certificate (cert.pem), a private key (privkey.pem), an intermediate (chain.pem), and a combined file containing the certificate and intermediate (fullchain.pem). These files are valid for the set of domains you specified in the certbot command - so if you specified all 3 domains in one command, the certificate will cover all three. If you ran a separate certbot command for each domain, youâll get 3 sets of files, one for each domain.
Iâm not sure exactly how to configure postfix, but Iâd guess you would use the privkey.pem and fullchain.pem. Maybe someone else here knows more about that.
Ah yes, the instructions are a bit muddled, but the intermediate and public cert seem to go together into the chain file.
Iâve been through a number of howtoâs on postfix/dovecot and the others talk about a .key and .crt files, but .pem is Ok as long as I keep public and private straight.
(CentOS7) So Iâll rename privkey.pem to quantum-equities.com.key.pem and it goes in /etc/pki/tls/private, and Iâll rename fullchain.pem to quantum-equities.com.chain.pem and put it in /etc/pki/tls/certs. And the same with my other two domainsâ certs.
Then Iâll reference these for both Apache and Postfix.
But itâs important to know whether these are encrypted? If so I must decrypt or will need to enter a password every time I check mail.
Thanks for your help J. With the answer to this last question I can press on.
Nope, they are not encrypted and don't require a password.
Just be aware: certbot expects to find the files still in the same place when it tries to renew - it'll examine them to see if they need to be renewed yet. So it's better not to move or rename them. You can probably just refer to them directly in your apache / postfix configuration - /etc/letsencrypt/live/quantum-equities.com/fullchain.pem
etc - those are symbolic links that refer to the actual files in /etc/letsencrypt/archive
and are updated to point to the latest versions when the certificates are renewed. Or you can copy them if you really need them in a different location - use --deploy-hook
to automate that if you need to.
Oh, yikes, I got to wondering how certbot would know where my renamed files are. (But Iâd promised only one more question :j )
Yes I can point Apache and Postfix to the files in live, thanks.
Hi,
I now have my websites resolving and DNATting properly. But certbot fails now in a new way! (Oh joy)
certbot run -d quantum-equities,www.quantum-equities.com,mail.quantum-equities.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
An unexpected error occurred:
The request message was malformed :: Error creating new authz :: DNS name does not have enough labels
Please see the logfiles in /var/log/letsencrypt for more details.
I can DNS resolve the first two, but I canât ping mail.quantum-equities.com, even though it is set as my MX at GKG (my registrar).
Is this the cause of the error? Even though it is set as my MX, do I still have to set at registrar, resolution to my IP?
Also, what if my IP changes in the future? Wouldnât this wreck the certs? How would I fix this?
Your command is malformed. The first in your series of domains is not, in fact, a domain name: "quantum-equities"
Certs are not tied to IPs*, but rather domain names. Changing the IP these names resolve to will not break your certificates.
*Some CAs will issue for IP addresses, but this is not common and is not an option for Let's Encrypt.
WAT?!
Thanks. Now I have a different error: certificate had names "quantum.darkmatter.org"
This is an internal name for the server, and is quite different from the three public domain names this server serves, including quantum-equities.com. How do I rig it so I pass this test for the three different actual domain names?