Pound, varnish, apache: add a domain

Help
1

My domain is www.qumran2.net and other domains in a single certificate: the full list is:

anteprima.qumran2.net,benvenuto.cathopedia.org,bg.qumran2.net,bibbianuova.qumran2.net,bibbia.qumran2.net,blog.qumran2.net,cathopedia.org,commons.cathopedia.org,de.qumran2.net,disegni.qumran2.net,en.qumran2.net,es.qumran2.net,guaricano.chiesamissionaria.it,it.cathopedia.org,materiale.qumran2.net,next.cathopedia.org,palmaro.qumran2.net,phpinfo.cathopedia.org,phplist.qumran2.net,pretigenova92.qumran2.net,pt.qumran2.net,segreteria.qumran2.net,servizio.qumran2.net,weewx.qumran2.net,www.cathopedia.org,www.qumran2.net

I have a debian system:

  • apache2 listening on port 8080
  • varnish listening on port 80
  • pound listening on port 443

I want to add some more domains, and I ran this command:

sudo certbot-auto certonly --expand --cert-name qumran2 -d anteprima.qumran2.net,benvenuto.cathopedia.org,bg.qumran2.net,bibbianuova.qumran2.net,bibbia.qumran2.net,blog.qumran2.net,cathopedia.org,commons.cathopedia.org,de.qumran2.net,disegni.qumran2.net,en.qumran2.net,es.qumran2.net,euroflora.qumran2.net,guaricano.chiesamissionaria.it,it.cathopedia.org,materiale.qumran2.net,next.cathopedia.org,palmaro.qumran2.net,phpinfo.cathopedia.org,phplist.qumran2.net,pretigenova92.qumran2.net,www.pretionline.it,pt.qumran2.net,segreteria.qumran2.net,servizio.qumran2.net,weewx.qumran2.net,www.cathopedia.org,www.qumran2.net

Before that, I stopped varnish and pound, so that nothing uses ports 80 and 443.

The command produced this output:

$ sudo certbot-auto certonly --expand --cert-name qumran2 -d anteprima.qumran2.net,benvenuto.cathopedia.org,bg.qumran2.net,bibbianuova.qumran2.net,bibbia.qumran2.net,blog.qumran2.net,cathopedia.org,commons.cathopedia.org,de.qumran2.net,disegni.qumran2.net,en.qumran2.net,es.qumran2.net,euroflora.qumran2.net,guaricano.chiesamissionaria.it,it.cathopedia.org,materiale.qumran2.net,next.cathopedia.org,palmaro.qumran2.net,phpinfo.cathopedia.org,phplist.qumran2.net,pretigenova92.qumran2.net,www.pretionline.it,pt.qumran2.net,segreteria.qumran2.net,servizio.qumran2.net,weewx.qumran2.net,www.cathopedia.org,www.qumran2.net
[sudo] password for xxxx:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 2
Plugins selected: Authenticator standalone, Installer None

You are updating certificate qumran2 to include new domain(s):

You are also removing previously included domain(s):

Did you intend to make this change?

(U)pdate cert/©ancel: u
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for anteprima.qumran2.net
tls-sni-01 challenge for benvenuto.cathopedia.org
tls-sni-01 challenge for bg.qumran2.net
tls-sni-01 challenge for bibbianuova.qumran2.net
tls-sni-01 challenge for bibbia.qumran2.net
tls-sni-01 challenge for blog.qumran2.net
tls-sni-01 challenge for cathopedia.org
tls-sni-01 challenge for commons.cathopedia.org
tls-sni-01 challenge for de.qumran2.net
tls-sni-01 challenge for disegni.qumran2.net
tls-sni-01 challenge for en.qumran2.net
tls-sni-01 challenge for es.qumran2.net
http-01 challenge for euroflora.qumran2.net
tls-sni-01 challenge for guaricano.chiesamissionaria.it
tls-sni-01 challenge for it.cathopedia.org
tls-sni-01 challenge for materiale.qumran2.net
tls-sni-01 challenge for next.cathopedia.org
tls-sni-01 challenge for palmaro.qumran2.net
tls-sni-01 challenge for phpinfo.cathopedia.org
tls-sni-01 challenge for phplist.qumran2.net
tls-sni-01 challenge for pretigenova92.qumran2.net
http-01 challenge for www.pretionline.it
tls-sni-01 challenge for pt.qumran2.net
tls-sni-01 challenge for segreteria.qumran2.net
tls-sni-01 challenge for servizio.qumran2.net
tls-sni-01 challenge for weewx.qumran2.net
tls-sni-01 challenge for www.cathopedia.org
tls-sni-01 challenge for www.qumran2.net
Waiting for verification…
Cleaning up challenges

Domain: phplist.qumran2.net
Type: connection
Detail: Connection reset by peer

Domain: www.cathopedia.org
Type: connection
Detail: Timeout after connect (your server may be slow or
overloaded)

Domain: commons.cathopedia.org
Type: connection
Detail: Timeout after connect (your server may be slow or
overloaded)

Domain: it.cathopedia.org
Type: connection
Detail: Connection reset by peer

Domain: next.cathopedia.org
Type: connection
Detail: Connection reset by peer

Domain: palmaro.qumran2.net
Type: connection
Detail: Connection reset by peer

Domain: cathopedia.org
Type: connection
Detail: Timeout after connect (your server may be slow or
overloaded)

Domain: bibbia.qumran2.net
Type: connection
Detail: Timeout after connect (your server may be slow or
overloaded)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: bibbianuova.qumran2.net
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: phpinfo.cathopedia.org
    Type: connection
    Detail: Connection reset by peer

    Domain: blog.qumran2.net
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: www.qumran2.net
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: pt.qumran2.net
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: es.qumran2.net
    Type: connection
    Detail: Connection reset by peer

    Domain: pretigenova92.qumran2.net
    Type: connection
    Detail: Connection reset by peer

    Domain: guaricano.chiesamissionaria.it
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: disegni.qumran2.net
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: servizio.qumran2.net
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: materiale.qumran2.net
    Type: connection
    Detail: Connection reset by peer

    Domain: en.qumran2.net
    Type: connection
    Detail: Connection reset by peer

    Domain: de.qumran2.net
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: weewx.qumran2.net
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: segreteria.qumran2.net
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: bg.qumran2.net
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: phplist.qumran2.net
    Type: connection
    Detail: Connection reset by peer

    Domain: www.cathopedia.org
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: commons.cathopedia.org
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: it.cathopedia.org
    Type: connection
    Detail: Connection reset by peer

    Domain: next.cathopedia.org
    Type: connection
    Detail: Connection reset by peer

    Domain: palmaro.qumran2.net
    Type: connection
    Detail: Connection reset by peer

    Domain: cathopedia.org
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    Domain: bibbia.qumran2.net
    Type: connection
    Detail: Timeout after connect (your server may be slow or
    overloaded)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

The domains are correctly set, the server has a public IP, no firewall.

Why do I get timeout?

I’m attacching the log file:letsencrypt.log.txt (325.8 KB)

My web server is (include version):apache 2.4.10-10+deb8u12

The operating system my web server runs on is: debian jessie

My hosting provider, if applicable, is: hetzner

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

1 Like
2

Hi,

All domains you are trying to renew (expand) are using TLS-SNI-01, which was disabled.

So, you can rerun the command by adding --preferred-challenges http to your arguments.
Example.
sudo certbot-auto certonly --expand --cert-name qumran2 -d anteprima.qumran2.net,benvenuto.cathopedia.org,bg.qumran2.net,bibbianuova.qumran2.net,bibbia.qumran2.net,blog.qumran2.net,cathopedia.org,commons.cathopedia.org,de.qumran2.net,disegni.qumran2.net,en.qumran2.net,es.qumran2.net,euroflora.qumran2.net,guaricano.chiesamissionaria.it,it.cathopedia.org,materiale.qumran2.net,next.cathopedia.org,palmaro.qumran2.net,phpinfo.cathopedia.org,phplist.qumran2.net,pretigenova92.qumran2.net,www.pretionline.it,pt.qumran2.net,segreteria.qumran2.net,servizio.qumran2.net,weewx.qumran2.net,www.cathopedia.org,www.qumran2.net --preferred-challenges http

Also, let's encrypt now support wildcard certificates, so you can reduce the domain list by simply use
sudo certbor-auto --preferred-challenges dns -d "*.qumran2.net" -d "*.cathopedia.org" -d cathopedia.org -d qumran2.net
However, since your DNS provider seems have no known intergration to certbot (or any other third party softwares), you'll need to manually add/update txt records every three month. But it can save hell lots of time from entering domain names and expanding certificates (if is a subdomain of already included domains)

Thank you

1 Like
3

thank you!

however, running

sudo certbot-auto certonly --expand --cert-name qumran2 -d .qumran2.net,.cathopedia.org,cathopedia.org,guaricano.chiesamissionaria.it,www.pretionline.it,qumran2.net --preferred-challenges http

I get:

The currently selected ACME CA endpoint does not support issuing wildcard certificates.

:frowning:

1 Like
4

HI,

Then you can to upgrade to latest version of certbot-auto (for wildcard) or continue to use regular certificates.

Thank you

1 Like
5

@stevenzhu, since this is already certbot-auto without --no-self-upgrade, it’s probably already the most recent version.

@bmw, should I suppose that if you have an existing cert from the v1 endpoint and you try to renew it with the addition of a wildcard, it will fail unless you specifically specify the v2 endpoint?

1 Like
6

That is correct. When we make the change to make ACMEv2 the default, this will no longer be the case, but until then, you’ll have to specify the server on the command line if you want a wildcard.

1 Like
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.