Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output:
Cleaning up challenges
Failed authorization procedure. mta.kocher-net.de (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 6986a31a12219ce90b6f62782934c148.d1a8761794bbfe49b15e5bfbf18f162c.acme.invalid from 46.237.215.198:443. Received 2 certificate(s), first certificate had names “nextcloud.kocher-net.de”
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: mta.kocher-net.de
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
6986a31a12219ce90b6f62782934c148.d1a8761794bbfe49b15e5bfbf18f162c.acme.invalid
from 46.237.215.198:443. Received 2 certificate(s), first
certificate had names “nextcloud.kocher-net.de”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
My web server is (include version): not available on this server
The operating system my web server runs on is (include version): debian stretch
My hosting provider, if applicable, is: local - cable with public IP
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Hello, I have a cable connection with a static IP.
port 443 is forwarded to virtual server nextcloud.kocher-net.de
Port 25 / 993 should be forwarded to another virtual server mta.kocher-net.de
As both servers are seen with same IP from the outside seems I cannot request certs for both.
Saw multipe threads talking about 2 web domains but have not found anything about 2 virtual hosts (different applications) behind 1 IP.
maybe a newbe question, how do I do that?
With my MTA I do not have port 80 nor 443 open, so what I found this would also prerequisite for the TLS auth
I agree with @rg305’s suggestion of using the DNS authentication method. The other methods require inbound connections on port 443 or port 80, so they probably won’t work properly with your port forwarding setup unless you can somehow make the port forwarding application layer-aware.
so first the DNS authentication and afterwards the apache authentication?
Have done it now the other way round.
if this works is there any dependency in renewal process?
thanks!
The order shouldn’t matter at all. Either order is fine.
For the renewal process, Certbot may require you to provide a script that performs the DNS record updates in order to be able to use certbot renew to renew certs that were obtained via the DNS method. (Partly for historical reasons, the DNS authentication support in Certbot is via the --manual plugin, which by default stops and asks you to make the specified change yourself. This behavior is incompatible with the automated renewals of certbot renew, which is designed to run completely unattended, for example from a cron job. However, if you do specify a script that can make the DNS changes for you in an unattended manner, then automated renewals will still be possible.)
well nextcloud complains that I have already received cert on the static IP I own.
So changing A record seems not to be a solution as I still will have registered cert with my static IP.
as both names are pointing to the same IP, so with identical A Record, seems there is no solution, maybe add additional domain and the copy from one server to the other server after renewal. Might that be an option?
Sorry, the DNS record updates I’m referring to are not about changing your IP address at all. The DNS authentication method is a way of proving your control over a domain name to the Let’s Encrypt certificate authority. They do this by creating a new TXT record in your DNS zone as requested by the CA during the certificate request process. The TXT record will be for _acme-validation.mta.kocher-net.de and its required contents will be specified by the CA (and different every time you request a certificate). This is described at
