Problem with certificate for my domain

Hello, i have a problem :frowning:

My domain is: mail.solit.by

I ran this command:

certbot --apache

It produced this output:

Failed authorization procedure. mail.solit.by (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested fd50c851382c1fc0a83afc0851ccd893.55c5b55c41c4286a7193848c2c99a6e5.acme.invalid from 93.85.95.69:443. Received 1 certificate(s), first certificate had names "control.solit.by, mail.solit.by, redmine.solit.by"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mail.solit.by
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   fd50c851382c1fc0a83afc0851ccd893.55c5b55c41c4286a7193848c2c99a6e5.acme.invalid
   from 93.85.95.69:443. Received 1 certificate(s), first certificate
   had names "control.solit.by, mail.solit.by, redmine.solit.by"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

What does it mean? And how I can solve it?

The operating system my web server runs on is (include version):
Linux debian 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64 GNU/Linux

And i have got a gateway on Kerio where i need to use certificates.
Thanks

Certbot is usually used to get a certificate for the first time or later to renew LE certificates.
In this case, you already have a cert installed but it can’t be renewed because it is a self-signed cert.

I’m not exactly sure how to best direct you.
But you could try to obtain a cert via --certonly and -webroot
Then replace the lines in the config to use the new LE cert.

If your server is behind a gateway that has its own certificate(s), then you can’t use the tls-sni-01 challenge which is what certbot --apache uses. However as @rg305 suggested you should be able to use the webroot plugin instead, eg: certbot certonly --webroot -w /path/to/your/web/root -d mail.solit.by

root@debian:~# certbot certonly --webroot -w /var/www/html -d mail.solit.by
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.solit.by
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.solit.by (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.solit.by/.well-known/acme-challenge/ZbsE3S-r5FPu3EkR4WzuZ6xdPeCruLvfGjDXr7RMPPs: "

Error 404 Not Found <bo"

IMPORTANT NOTES:

but

telnet mail.solit.by 80

is successful

Are you sure that /var/www/html is correct?

If you manually create a file at /var/www/html/.well-known/acme-challenge/test, can you access that file at http://mail.solit.by/.well-known/acme-challenge/test in a browser?

according to help, yes…

Please place that file there and let us know, then anybody could check that.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.