# certbot certonly --standalone -d vps17xxxx.ovh.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for vps17xxxx.ovh.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for: ovh.net
Please see the logfiles in /var/log/letsencrypt for more details.
You can’t fix it, ovh.net is not included in the Public Suffix List so it has the same limits as a normal domain (20 certificates per 7 days) and OVH has thousands of customers trying to issue a certificate for vpsxxxxxx.ovh.net so it could be almost impossible to issue a cert for one of these subdomains.
Hi! danb35.
My domain is already certified and hosted in a webhosting (not in my OVH VPS)
I wanted to get a certificate for my VPS.
If I try to get a certificate with the name of my domain, from my VPS, it gives the following error:
# certbot certonly --standalone -d xxxxx.com -d www.xxxxx.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for xxxxx.com
tls-sni-01 challenge for www.xxxxx.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure.xxxxxx.com (tls-sni-01): urn:acme:error:una uthorized :: The client lacks sufficient authorization :: Incorrect validation c ertificate for tls-sni-01 challenge. Requested b4dcf625586bdd2bfb156864de5079d3. 8a83047c549b23645e19fcf0fb87d94e.acme.invalid from [xxxxx: 50]:443. Received 3 certificate(s), first certificate had names "ssl17.ovh.net, www.xxx.ovh.net", www.xxxx.com (tls-sni-01): urn:acme:error:unauthorize d :: The client lacks sufficient authorization :: Incorrect validation certifica te for tls-sni-01 challenge. Requested 8e1c92c070e8703171387fe239ad72bd.37602efc cedef6166d281cdee9d95ce1.acme.invalid from [xxxxx]:443. Received 3 certificate(s), first certificate had names "xxx.ovh.net, www.ssl1 7.ovh.net"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain:xxxxxxx.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
b4dcf625586bdd2bfb156864de5079d3.8a83047c549b23645e19fcf0fb87d94e.acme.invali d
from [2001:41d0:1:1b00:213:186:33:50]:443. Received 3
certificate(s), first certificate had names "xxx.ovh.net,
www.xxx.ovh.net"
Domain: www.xxxxxx.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
8e1c92c070e8703171387fe239ad72bd.37602efccedef6166d281cdee9d95ce1.acme.invali d
from [xxxx]:443. Received 3
certificate(s), first certificate had names "xxx.ovh.net,
www.xxx.ovh.net"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
So what happens there is on the VPS (not OVH) you’re telling Let’s Encrypt, “I promise I am chathizpano.com and www.chathizpano.com”, and so Let’s Encrypt connects to those names over HTTPS to attempt the tls-sni-01 challenge, but instead of reaching the standlone Certbot you’re running, Let’s Encrypt reaches the OVH web servers you have, and those say “No, we don’t know anything about this, it’s not us” and so you can’t get a certificate for those names.
This is of course necessary as otherwise anybody could get certificates for your names. You need to pass a challenge for the names you want on the certificate, you must arrange to pass one of three kinds of challenge, perhaps for you it will be easiest to pass DNS challenge?
But it seems odd to want the VPS to have certificates for these names, while having OVH answer actual requests for those names. Maybe it will be easier for someone to help if you explain what you wanted to achieve there…
I am very new to programming and I understand English very little.
I tell you what my problem is:
I have a website on “xxxxx.com” that has different hosting and IP to my VPS.
But, in my VPS I have the server of my Radio Shoutcast, which uses the IP of my VPS to transmit the streaming.
As the IP: port of my VPS is not SSL, my web that uses a Radio player is not validated with green lock.
The names of the songs, which I get from my VPS, arrive in an unsafe format on my website.
I do not know if you can understand my idea.
Thank you @sahsanu , for your information and help.
In this thread, began my odyssey to obtain the lucky green lock.
Something commented @schoen to create a reverse proxy for my Shoutcast.
Does anyone know how I should create that?
A suggestion, which may or may not be easy for you:
Give the VPS an alternative DNS name which you control, for example radio.chathizpano.com. Most services where you can buy a domain like chathizpano.com will let you set up any number of such names, you can probably use a feature called CNAME to have it point to the exact same server as vps17xxxx.ovh.net, if that is not possible but you know the exact IP address of the VPS, you can type that in by hand (but if it changes you must redo this, so the CNAME is better).
Unlike the ovh.net name, this name will not be trapped by rate-limiting, (unless you are making dozens of them) and so you will be able to request a certificate for the name from Let’s Encrypt without rate-limit problems. Unlike the web server name, it will refer to the correct machine, so it will be able to pass the challenge step if you do this correctly.
Also, somewhere in the OVH console, there is a “cogwheel” to be able to change the reverse DNS entry (ie. the IN PTR) to the name you want for your VPS, given that you have the correct A (IN A) record defined for the VPS.
