One IP, Two domains, Two certificates


#1

Hello,

I’m trying to get two SSL ceritificates for two domains one the same IP. I’m using Apache with SNI. For the first domain, i have installed LetsEncrypt and it is working good. But i’m unable to install for the second domain.

Here is my output:

     certbot-auto --apache -d secondomain.lt -d www.secondomain.lt
Requesting root privileges to run certbot...
  /home/xxx/.local/share/letsencrypt/bin/letsencrypt --apache -d secondomain.lt -d www.secondomain.lt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for secondomain.lt
tls-sni-01 challenge for www.secondomain.lt
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. secondomain.lt (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 67cc4c1fe331239df2aa886179bc93dc.b4bbdafbb67f49e154341cb15ec9e11c.acme.invalid from 194.135.80.160:443. Received 2 certificate(s), first certificate had names "firstdomain.lt, www.firstdomain.lt", www.secondomain.lt (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 4552aaa93d0d91647a353631c6c75cd0.9bdde20c003a29a31af8dbdf42a81113.acme.invalid from 194.135.80.160:443. Received 2 certificate(s), first certificate had names "firstdomain.lt, www.firstdomain.lt"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: secondomain.lt
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   67cc4c1fe331239df2aa886179bc93dc.b4bbdafbb67f49e154341cb15ec9e11c.acme.invalid
   from 194.135.80.160:443. Received 2 certificate(s), first
   certificate had names "firstdomain.lt, www.firstdomain.lt"

   Domain: www.secondomain.lt
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   4552aaa93d0d91647a353631c6c75cd0.9bdde20c003a29a31af8dbdf42a81113.acme.invalid
   from 194.135.80.160:443. Received 2 certificate(s), first
   certificate had names "firstdomain.lt, www.firstdomain.lt"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Any ideas?


#2

Hi @BigBug

Please fill out the stuff below and accurately (you would be suprised how many people don’t have a WWW domain in DNS and try to get a certificate for it)

Please fill out the fields below so we can help you better.

My domain is:

My operating system is (include version):

My web server is (include version):

Andrei


#3

Hello,

Thank you for quick reply.

My domain is: www.eurotrip.lt

My operating system is: Ubuntu 14.04.5 LTS

My web server is: Apache/2.4.7 (Ubuntu); PHP 5.6.30-7+deb.sury.org~trusty+1 (cli)


#4

hi @BigBug

You are serving up your other certificate which means when LetsEncrypt comes to verify (via the TLS-SNI Challenge) it fails.

You can use the HTTP or the DNS Challenge or alternatively change the configs so the right cert for validation can be presented

Andrei


#5

Yes, i want to have two SSL’s on one IP.

Is there any tutorial, how to solve this?


#6

That’s not true. certbot will temporary install the self signed challenge certificate and will revert the Apache configuration to remove that temporary certificate when it exits. So everything you see on the “outside” when certbot isn’t running, doesn’t say anything about the tls-sni-01 challenge. Also, you’d need to SPECIFICALLY request that SPECIFIC hostname to get that temporary certificate anyway. Please read on how the challenge works if you don’t actually know it so you’ll refrain from giving ill-advised help (although you mean well, I know!)

@BigBug Most of the time these errors will present when one of two situations are in place (or both at the same time :stuck_out_tongue:):

  • You have multiple <VirtualHost *:80> sections in one Apache configuration file. certbot. At this moment (a change in the code is in progress!), certbot requires just one <VirtualHost *:80> section per file. Note: it is valid to have one vhost section for multiple hostnames by using ServerAlias besides the ServerName directive. certbot should be able to detect the hostname(s) in ServerAlias.
  • Your <VirtualHost> sections have mixed syntax. Most of the time, the following syntax is the most complient: <VirtualHost *:80>. But sometimes servers have a mix of <VirtualHost 1.2.3.4:80> (with an IP address) or <VirtualHost *> (not specifying a port number). That can interfere with certbots temporary certificate presentation. My advice would be: only use the <VirtualHost *:80> syntax, unless you’re using IP based virtual hosting (and of course <VirtualHost *:443> for HTTPS.

#7

My aldready installed domain apache conf file:

<VirtualHost *:80>
	ServerName already_installed_sll_domain.com
ServerAlias www.already_installed_sll_domain.com

	ServerAdmin linas@xxx
	DocumentRoot /var/www/html/already_installed_sll_domain.com/public_html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
    
<Directory /var/www/html/already_installed_sll_domain.com/public_html>
            Options +Indexes +FollowSymLinks -MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
</Directory>
</VirtualHost>



<IfModule mod_ssl.c>
<VirtualHost *:443>
		ServerAdmin linas@xxx

		DocumentRoot /var/www/html/already_installed_sll_domain.com/public_html
            ServerName already_installed_sll_domain.com
            ServerAlias www.already_installed_sll_domain.com


		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined


		SSLEngine on



		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>

<Directory /var/www/html/already_installed_sll_domain.com/public_html>
            Options +Indexes +FollowSymLinks -MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
</Directory>

		BrowserMatch "MSIE [2-6]" \
				nokeepalive ssl-unclean-shutdown \
				downgrade-1.0 force-response-1.0
		# MSIE 7 and newer should be able to use keepalive
		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

	</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet


And my new domain conf file. I'm trying to install SSL for this domain.

        <VirtualHost *:80>
        <Directory /var/www/html/eurotrip.lt/public_html>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride All
                    Order allow,deny
                    allow from all
        </Directory>
        	ServerAdmin linas@xxx
        	DocumentRoot /var/www/html/eurotrip.lt/public_html
            ServerName eurotrip.lt
            ServerAlias www.eurotrip.lt

        	ErrorLog ${APACHE_LOG_DIR}/error.log
        	CustomLog ${APACHE_LOG_DIR}/access.log combined

        </VirtualHost>

Looks everything correct?


#8

If the last virtualhost is indeed in a separate file, it should work… Strange.

But as @ahaw021 already said, you can try the http challenge:

certbot -i apache -a webroot -w /var/www/html/eurotrip.lt/public_html -d eurotrip.lt -d www.eurotrip.lt

This will use the apache plugin to install the certificate (it will copy your existing configuration file into a new one with -le-ssl after the current filename) and use the webroot plugin for authentication.


#9

Thank you. I have changed “cerbot” into “cerbot-auto” and then it worked. Console output generated ssl.

But when i go to page SSL is not working. Do i have to make any new configuration in apache conf files?


Modified sites-avaible/domain.conf and started working.

Thank you very much!


#10

The apache plugin should have taken care of that… :flushed:

There also should have been a domain-le-ssl.conf in there.

Well, that’s the most important part I guess :wink:


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.