No way to create my cert!


#1

Hello to All!

I’m really frustrated… I thought I was a good sysadmin, my boss pay me to do this job! But, it’s about ten days that I try to buid my certificate and I just can’t!

I’m on rhel 7.3 x64 hyper-v guest.

I’ve two domains both with a server farm/services, the first is “tergiversare.com” and the second one “perseverare.com”; both has a tcp load balancer (two appliances in HA) behind a cluster of smart firewall appliances.

The first “problem” is that I’ve to secure many hosts so I’ve added a SAN entry for each public hostname/service in to my certbot command, but, in my public dns (hosted by Aruba hosting) I’ve many cname records that point to the same A public record, the ip address of load balancer, this beacuse the tcp balancer (2 public ip and 2 A record) can manage all tcp/udp services for both the server farms!

Another thing that should justifies all of these cname is that, in each farm, I’ve a lot of clustered services, so if I want to secure a “webmail services” I’ve to made secured 3 hosts: 1° host is the hostname that match the virtual ip/cname “webmail.tergiversare.com” (tcp balancer); 2° host is the first node of the webmail cluster “webmail0.tergiversare.com” and, 3° host, is the second cluster node “webmail1.tergiversare.com”.

This because, when a remote client try connect to “webmail.tergiversare.com”, the load balance can deliver the connection to host1 or host2, if I’ve secured only “webmail.tergiversare.com” CN, when the client are redirected to “webmail0.tergiversare.com” it will gets a warning message from the browser that says that the server name don’t match the certificate’s CN name!

Now, I’ve 2 webserver apache 2.4.6 both with 3 instances: “www.tergiversare.com” listen on tcp 80/443, “www.perseverare.com” 8080/488 and “adv.tergiversare.com” on 81, all istances are served by load balancer in round-robin mechanism, and they makes a port-foward from “public-ip:80/443” to private-ip:xxxx in base of a url rule definded in his config;

My httpd.conf are in /etc/httpd/conf/*

DocumentRoot are in /var/www/html/*

I’ve added these options on all httpd.conf of my sites for .well-known/acme-challenge:

Alias /.well-known/acme-challenge /var/www/html/letsencrypt/.well-known/acme-challenge

<Directory /var/www/html/letsencript/.well-known/acme-challenge>
Options None
AllowOverride None
Order allow,deny
Allow from all

BUT NOW, I’ve create a “.well-known/acme-challenge” folder for each site…

I’ve put a text.txt in .well-known/acme-challenge folder and if I call it (from internet browser), I can see the content of txt file.

Now, I’ve tried all type of certbot commands like “apache”, “apache certonly”, “webroot” with or whitout specify the apache path of rhel httpd, but no way to get this damned certificate!!!

:wink:

Last command that I’ve used is this:

certbot certonly --staging -vvvv --agree-tos -m technet@tergiversare.com --rsa-key-size 4096 --renew-by-default --webroot -w /var/www/html/tergiversare.com -d tergiversare.com -d www.tergiversare.com -d dns.tergiversare.com -d dns0.tergiversare.com -d sip.tergiversare.com -d voip.tergiversare.com -d vpub.tergiversare.com -d rpx.tergiversare.com -d prx.tergiversare.com -d vlba.tergiversare.com -d vlba0.tergiversare.com -d vlba1.tergiversare.com -d mail.tergiversare.com -d mail0.tergiversare.com -d mail1.tergiversare.com -d webmail.tergiversare.com -d webmail0.tergiversare.com -d webmail1.tergiversare.com -d imap.tergiversare.com -d imap0.tergiversare.com -d imap1.tergiversare.com -d pop.tergiversare.com -d pop0.tergiversare.com -d pop1.tergiversare.com -d smtp.tergiversare.com -d smtp0.tergiversare.com -d smtp1.tergiversare.com -d ssl.tergiversare.com -d ssl0.tergiversare.com -d ssl1.tergiversare.com -d vpn.tergiversare.com -d vpn0.tergiversare.com -d vpn1.tergiversare.com -d ipsec.tergiversare.com -d ipsec0.tergiversare.com -d ipsec1.tergiversare.com -d cpa.tergiversare.com -d cpa0.tergiversare.com -d cpa1.tergiversare.com -d fax.tergiversare.com -d tor.tergiversare.com -d mobile.tergiversare.com -d mobile0.tergiversare.com -d mobile1.tergiversare.com -d icam.tergiversare.com -d mule.tergiversare.com -d jdl.tergiversare.com -d qmanager.tergiversare.com -d qmanager0.tergiversare.com -d qmanager1.tergiversare.com -d sftp.tergiversare.com -d xgate.tergiversare.com -w /var/www/html/perseverare.com -d perseverare.com -d www.perseverare.com -d dns.perseverare.com -d dns0.perseverare.com -d autodiscover.perseverare.com -d rpx.perseverare.com -d lba.perseverare.com -d mail.perseverare.com -d mail0.perseverare.com -d mail1.perseverare.com -d owa.perseverare.com -d webmail.perseverare.com -d webmail0.perseverare.com -d webmail1.perseverare.com -d imap.perseverare.com -d imap0.perseverare.com -d imap1.perseverare.com -d pop.perseverare.com -d pop0.perseverare.com -d pop1.perseverare.com -d smtp.perseverare.com -d smtp0.perseverare.com -d smtp1.perseverare.com -d fax.perseverare.com -d mobile.perseverare.com -d mobile0.perseverare.com -d mobile1.perseverare.com -d qmanager.perseverare.com -d qmanager0.perseverare.com -d qmanager1.perseverare.com -d lyncdiscover.perseverare.com -d sip.perseverare.com -d sipfederation.perseverare.com -d sipexternal.perseverare.com -d voip.perseverare.com -d vcs.perseverare.com -d vcs0.perseverare.com -d vcs1.perseverare.com -d collaboration.perseverare.com -d edge.perseverare.com

Always I get this error message for each CN that not has an httpd that can match request:

Domain: smpt0.tergiversare.com
Type: connection
Detail: Could not connect to smtp0.tergiversare.com

Domain: ssl1.tergiversare.com
Type: unauthorized
Detail: Invalid response from
http://ssl1.tergiversare.com/.well-known/acme-challenge/T-ADlpYfbJb30HjzqTQ1yRUpV9ttGUJfgFotu3B_7tY
[83.211.183.251]: 503

<<

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

certbot also delete all acme-challenge folder each time!

I’ve to create a conf/vhost for each CN???

Letsencrypt log are to big for pastebin, I’ve put it here:

http://www.tergiversare.com/letsencrypt.txt

Please, help me!
Bye Roberto.


#2

It looks like this alias does not match the webroot that you pass to your certbot command:


#3

Hello jsha!
Thanks for your answer!

I’ve tried a lot of command combinations, the last that I’ve tried and posted here has the “–webroot -w /var/www/html/tergiversare.com” argument, NO “alias dir” in the httpd conf and each site has its own ./well-known/acme-challenge path in /var/www/hrml/*

But unfortunately didn’t works.
Have you any other tips for me?


#4

It seems like you are on the right track with the Alias thing.

Looking again at your specific error messages, the two you provided are clear: smtp0.tergiversare.com produces a “could not connect” error, indicating most likely that it’s not listening on 443 (makes sense if it’s an SMTP server). Is that DNS name pointing at the same host as your Apache server? Also, I notice that the names in the error message differ by a typo. Did you re-type or edit this error, rather than copy-paste?

For ssl1.tergiversare.com, your web server is serving a 503 error code. You’ll need to fix that, but I can’t tell you what it’s serving an error code. But you can see if for yourself at http://ssl1.tergiversare.com/.


#5

Hi jsha ,

ok, I’ll try to reenable the common Alias directive, one common fs path for all sites.

Yes, smtp and the most of all SANs shares 2 public ip: smtp0.tergiversare.com points to 83.211.183.250 that is a public nat address: an smtp/s incoming packets when arrives to the public interface of my firewall it forwards the connections to the private interface of load balancer and load balancer, forwards the connections to the mail servers. If you point to www.tergiversare.com (same ip 83.211.183.250) but on 80 or 443, packets makes the same route but, the http/s requests are forwarded, always by the firewall, to the private ip of load balancer but the load balancer, in this case, for http/s tcp ports, has a rule that forwards connections to the web servers.

Ok, I’ve made an typo error in certbot SAN for smtp0, I’ve wrote smpt! I think that if I correct this, the errors becomes the same of ssl1 !

I think that ssl1.tergiversare.com gives 503 because, apache is listening on 80/443 but the letsencrypt’s server call a resource name that not match any vhost in my conf…

This is why I’ve asked if it’s mandatory to create 100 vhost if I’ve requested 100 sans!

jsha, I hope that you understanding my english, I know it’s really terrible! :slight_smile:


#6

It’s not necessary to create 100 vhosts for 100 SANs, if you use ServerAlias so that one vhost can match multiple hostnames.

However, you do need your Apache instance to be willing to serve answers for all the hostnames. So for instance you should add ssl1.tergiversare.com to a ServerAlias on one of your vhosts so it can successfully respond to requests.


#7

Oh… right! Hadn’t thought on it!

ServerAlias is sufficient, or I’ve to make all ServerAlias available from internet?

Because, ssl1.tergiversare.com is a separate host, is a sslvpn appliance! If I route ssl1.tergiversare.com:443 to apache hosts, ssl appliance cannot be reached anymore…


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.