Problem running Certbot with apache


#1

Hi, i have a problem when run Certbot with Apache from Ubuntu.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for textilprint.com.co
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. textilprint.com.co (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 89675ce6f2a8a721c3ec1e55b02fe4fa.95e929fceceae23fe7c7cd42f82057e4.acme.invalid from 192.185.128.23:443. Received 3 certificate(s), first certificate had names “*.ehosts.com, ehosts.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: textilprint.com.co
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    89675ce6f2a8a721c3ec1e55b02fe4fa.95e929fceceae23fe7c7cd42f82057e4.acme.invalid
    from 192.185.128.23:443. Received 3 certificate(s), first
    certificate had names “*.ehosts.com, ehosts.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    I dont have idea resolve this problem.


#2

Is ehosts.com your hosting provider? If so … I think your best bet might be to find an alternative.

  • You said your server is running apache, but the Server header says it’s nginx.
  • You used the --standalone plugin. However, the server seems to be responding on port 443, which means the standalone plugin should have fail to listen on that port, which it apparently didn’t - it thought it was listening and asked the CA to connect to it.
  • The certificate that’s being presented is a wildcard cert for *.ehosts.com

So it seems that your apache server is sitting behind an nginx reverse proxy controlled by the hosting provider. That means they must install any certificates for you.

Here is what they say about that (ehosts.com redirects to www.ehost.com so I assume they’re the same company):

https://support.ehost.com/articles/ssl-certificates/acquire-ssl/im-going-to-purchase-my-own-ssl-what-do-i-need-to-know

Let’s Encrypt certificates need to be renewed at least every 3 months, so that’s 40… I’m not sure what currency those prices are in, but there’s a good chance it will work out more expensive than purchasing and installing a cheap multi-year certificate from a commercial CA. The arduous installation process is also an unfortunate barrier and will likely make it impossible to set up automated renewals.

Unsurprisingly, they also sell certificates themselves.

It may be that they have some other hosting options that are compatible with Let’s Encrypt. I haven’t seen anything about that on their website, though.

If you want to look for alternatives, the list of shared hosting providers that support Let’s Encrypt is here:

(If ehosts is not your hosting provider, then my next best guess is that you mistyped your domain name…)


#3

Also this on their homepage:

"In an effort to provide customers with the best hosting experience possible, we have made the decision to take eHost offline and begin directing visitors to our partner brands. Over the next few months, we’ll be transitioning customers to a new platform that delivers a better experience and outstanding support. "

I’d start looking at a new host.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.