Hello to All!
I’m really frustrated… I thought I was a good sysadmin, my boss pay me to do this job! But, it’s about ten days that I try to buid my certificate and I just can’t!
I’m on rhel 7.3 x64 hyper-v guest.
I’ve two domains both with a server farm/services, the first is “tergiversare.com” and the second one “perseverare.com”; both has a tcp load balancer (two appliances in HA) behind a cluster of smart firewall appliances.
The first “problem” is that I’ve to secure many hosts so I’ve added a SAN entry for each public hostname/service in to my certbot command, but, in my public dns (hosted by Aruba hosting) I’ve many cname records that point to the same A public record, the ip address of load balancer, this beacuse the tcp balancer (2 public ip and 2 A record) can manage all tcp/udp services for both the server farms!
Another thing that should justifies all of these cname is that, in each farm, I’ve a lot of clustered services, so if I want to secure a “webmail services” I’ve to made secured 3 hosts: 1° host is the hostname that match the virtual ip/cname “webmail.tergiversare.com” (tcp balancer); 2° host is the first node of the webmail cluster “webmail0.tergiversare.com” and, 3° host, is the second cluster node “webmail1.tergiversare.com”.
This because, when a remote client try connect to “webmail.tergiversare.com”, the load balance can deliver the connection to host1 or host2, if I’ve secured only “webmail.tergiversare.com” CN, when the client are redirected to “webmail0.tergiversare.com” it will gets a warning message from the browser that says that the server name don’t match the certificate’s CN name!
Now, I’ve 2 webserver apache 2.4.6 both with 3 instances: “www.tergiversare.com” listen on tcp 80/443, “www.perseverare.com” 8080/488 and “adv.tergiversare.com” on 81, all istances are served by load balancer in round-robin mechanism, and they makes a port-foward from “public-ip:80/443” to private-ip:xxxx in base of a url rule definded in his config;
My httpd.conf are in /etc/httpd/conf/*
DocumentRoot are in /var/www/html/*
I’ve added these options on all httpd.conf of my sites for .well-known/acme-challenge:
Alias /.well-known/acme-challenge /var/www/html/letsencrypt/.well-known/acme-challenge
<Directory /var/www/html/letsencript/.well-known/acme-challenge>
Options None
AllowOverride None
Order allow,deny
Allow from all
BUT NOW, I’ve create a “.well-known/acme-challenge” folder for each site…
I’ve put a text.txt in .well-known/acme-challenge folder and if I call it (from internet browser), I can see the content of txt file.
Now, I’ve tried all type of certbot commands like “apache”, “apache certonly”, “webroot” with or whitout specify the apache path of rhel httpd, but no way to get this damned certificate!!!
Last command that I’ve used is this:
certbot certonly --staging -vvvv --agree-tos -m technet@tergiversare.com --rsa-key-size 4096 --renew-by-default --webroot -w /var/www/html/tergiversare.com -d tergiversare.com -d www.tergiversare.com -d dns.tergiversare.com -d dns0.tergiversare.com -d sip.tergiversare.com -d voip.tergiversare.com -d vpub.tergiversare.com -d rpx.tergiversare.com -d prx.tergiversare.com -d vlba.tergiversare.com -d vlba0.tergiversare.com -d vlba1.tergiversare.com -d mail.tergiversare.com -d mail0.tergiversare.com -d mail1.tergiversare.com -d webmail.tergiversare.com -d webmail0.tergiversare.com -d webmail1.tergiversare.com -d imap.tergiversare.com -d imap0.tergiversare.com -d imap1.tergiversare.com -d pop.tergiversare.com -d pop0.tergiversare.com -d pop1.tergiversare.com -d smtp.tergiversare.com -d smtp0.tergiversare.com -d smtp1.tergiversare.com -d ssl.tergiversare.com -d ssl0.tergiversare.com -d ssl1.tergiversare.com -d vpn.tergiversare.com -d vpn0.tergiversare.com -d vpn1.tergiversare.com -d ipsec.tergiversare.com -d ipsec0.tergiversare.com -d ipsec1.tergiversare.com -d cpa.tergiversare.com -d cpa0.tergiversare.com -d cpa1.tergiversare.com -d fax.tergiversare.com -d tor.tergiversare.com -d mobile.tergiversare.com -d mobile0.tergiversare.com -d mobile1.tergiversare.com -d icam.tergiversare.com -d mule.tergiversare.com -d jdl.tergiversare.com -d qmanager.tergiversare.com -d qmanager0.tergiversare.com -d qmanager1.tergiversare.com -d sftp.tergiversare.com -d xgate.tergiversare.com -w /var/www/html/perseverare.com -d perseverare.com -d www.perseverare.com -d dns.perseverare.com -d dns0.perseverare.com -d autodiscover.perseverare.com -d rpx.perseverare.com -d lba.perseverare.com -d mail.perseverare.com -d mail0.perseverare.com -d mail1.perseverare.com -d owa.perseverare.com -d webmail.perseverare.com -d webmail0.perseverare.com -d webmail1.perseverare.com -d imap.perseverare.com -d imap0.perseverare.com -d imap1.perseverare.com -d pop.perseverare.com -d pop0.perseverare.com -d pop1.perseverare.com -d smtp.perseverare.com -d smtp0.perseverare.com -d smtp1.perseverare.com -d fax.perseverare.com -d mobile.perseverare.com -d mobile0.perseverare.com -d mobile1.perseverare.com -d qmanager.perseverare.com -d qmanager0.perseverare.com -d qmanager1.perseverare.com -d lyncdiscover.perseverare.com -d sip.perseverare.com -d sipfederation.perseverare.com -d sipexternal.perseverare.com -d voip.perseverare.com -d vcs.perseverare.com -d vcs0.perseverare.com -d vcs1.perseverare.com -d collaboration.perseverare.com -d edge.perseverare.com
Always I get this error message for each CN that not has an httpd that can match request:
Domain: smpt0.tergiversare.com
Type: connection
Detail: Could not connect to smtp0.tergiversare.com
Domain: ssl1.tergiversare.com
Type: unauthorized
Detail: Invalid response from
http://ssl1.tergiversare.com/.well-known/acme-challenge/T-ADlpYfbJb30HjzqTQ1yRUpV9ttGUJfgFotu3B_7tY
[83.211.183.251]: 503
<<
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
certbot also delete all acme-challenge folder each time!
I’ve to create a conf/vhost for each CN???
Letsencrypt log are to big for pastebin, I’ve put it here:
http://www.tergiversare.com/letsencrypt.txt
Please, help me!
Bye Roberto.