Postfix and apache cert for same IP [resolved]

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kocher-net.de

I ran this command:sudo certbot certonly

It produced this output:
Cleaning up challenges
Failed authorization procedure. mta.kocher-net.de (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 6986a31a12219ce90b6f62782934c148.d1a8761794bbfe49b15e5bfbf18f162c.acme.invalid from 46.237.215.198:443. Received 2 certificate(s), first certificate had names “nextcloud.kocher-net.de

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mta.kocher-net.de
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    6986a31a12219ce90b6f62782934c148.d1a8761794bbfe49b15e5bfbf18f162c.acme.invalid
    from 46.237.215.198:443. Received 2 certificate(s), first
    certificate had names “nextcloud.kocher-net.de

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): not available on this server

The operating system my web server runs on is (include version): debian stretch

My hosting provider, if applicable, is: local - cable with public IP

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hello, I have a cable connection with a static IP.
port 443 is forwarded to virtual server nextcloud.kocher-net.de
Port 25 / 993 should be forwarded to another virtual server mta.kocher-net.de

As both servers are seen with same IP from the outside seems I cannot request certs for both.
Saw multipe threads talking about 2 web domains but have not found anything about 2 virtual hosts (different applications) behind 1 IP.

Thanks for any help!

One possible solution: One system could use certbot with TLS auth and the other with DNS auth.

thanks for your quick reply!

maybe a newbe question, how do I do that?
With my MTA I do not have port 80 nor 443 open, so what I found this would also prerequisite for the TLS auth

Thanks!

I agree with @rg305’s suggestion of using the DNS authentication method. The other methods require inbound connections on port 443 or port 80, so they probably won’t work properly with your port forwarding setup unless you can somehow make the port forwarding application layer-aware.

with the nextcloud I have already used the apache authentication:

root@nextcloud:/home/tkocher# cat /etc/letsencrypt/renewal/nextcloud.kocher-net.de.conf

renew_before_expiry = 30 days

version = 0.10.2
archive_dir = /etc/letsencrypt/archive/nextcloud.kocher-net.de
cert = /etc/letsencrypt/live/nextcloud.kocher-net.de/cert.pem
privkey = /etc/letsencrypt/live/nextcloud.kocher-net.de/privkey.pem
chain = /etc/letsencrypt/live/nextcloud.kocher-net.de/chain.pem
fullchain = /etc/letsencrypt/live/nextcloud.kocher-net.de/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = xxxx
root@nextcloud:/home/tkocher#

so this should not affecting the DNS authentication as suggested…

Yep, you can use the DNS authentication only for the other server if you prefer.

so first the DNS authentication and afterwards the apache authentication?
Have done it now the other way round.
if this works is there any dependency in renewal process?
thanks!

The order shouldn’t matter at all. Either order is fine.

For the renewal process, Certbot may require you to provide a script that performs the DNS record updates in order to be able to use certbot renew to renew certs that were obtained via the DNS method. (Partly for historical reasons, the DNS authentication support in Certbot is via the --manual plugin, which by default stops and asks you to make the specified change yourself. This behavior is incompatible with the automated renewals of certbot renew, which is designed to run completely unattended, for example from a cron job. However, if you do specify a script that can make the DNS changes for you in an unattended manner, then automated renewals will still be possible.)

well nextcloud complains that I have already received cert on the static IP I own.
So changing A record seems not to be a solution as I still will have registered cert with my static IP.

as both names are pointing to the same IP, so with identical A Record, seems there is no solution, maybe add additional domain and the copy from one server to the other server after renewal. Might that be an option?

Sorry, the DNS record updates I’m referring to are not about changing your IP address at all. The DNS authentication method is a way of proving your control over a domain name to the Let’s Encrypt certificate authority. They do this by creating a new TXT record in your DNS zone as requested by the CA during the certificate request process. The TXT record will be for _acme-validation.mta.kocher-net.de and its required contents will be specified by the CA (and different every time you request a certificate). This is described at

and

solved the issue by copy job from one server to the other after adding second name :slight_smile:

So I am happy now, just need to write copy script, then I am done…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.