Problem with certificate for my domain

acckiydarik · November 29, 2017, 7:39am

Hello, i have a problem

My domain is: mail.solit.by

I ran this command:

certbot --apache

It produced this output:

Failed authorization procedure. mail.solit.by (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested fd50c851382c1fc0a83afc0851ccd893.55c5b55c41c4286a7193848c2c99a6e5.acme.invalid from 93.85.95.69:443. Received 1 certificate(s), first certificate had names "control.solit.by, mail.solit.by, redmine.solit.by"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mail.solit.by
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   fd50c851382c1fc0a83afc0851ccd893.55c5b55c41c4286a7193848c2c99a6e5.acme.invalid
   from 93.85.95.69:443. Received 1 certificate(s), first certificate
   had names "control.solit.by, mail.solit.by, redmine.solit.by"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

What does it mean? And how I can solve it?

The operating system my web server runs on is (include version):
Linux debian 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64 GNU/Linux

And i have got a gateway on Kerio where i need to use certificates.
Thanks

rg305 · November 29, 2017, 9:14am

Certbot is usually used to get a certificate for the first time or later to renew LE certificates.
In this case, you already have a cert installed but it can’t be renewed because it is a self-signed cert.

I’m not exactly sure how to best direct you.
But you could try to obtain a cert via --certonly and -webroot
Then replace the lines in the config to use the new LE cert.

jmorahan · November 29, 2017, 1:33pm

If your server is behind a gateway that has its own certificate(s), then you can't use the tls-sni-01 challenge which is what certbot --apache uses. However as @rg305 suggested you should be able to use the webroot plugin instead, eg: certbot certonly --webroot -w /path/to/your/web/root -d mail.solit.by

acckiydarik · November 29, 2017, 1:44pm

root@debian:~# certbot certonly --webroot -w /var/www/html -d mail.solit.by
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.solit.by
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mail.solit.by (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.solit.by/.well-known/acme-challenge/ZbsE3S-r5FPu3EkR4WzuZ6xdPeCruLvfGjDXr7RMPPs: "
Error 404 Not Found <bo"
IMPORTANT NOTES:

The following errors were reported by the server:

Domain: mail.solit.by
Type: unauthorized
Detail: Invalid response from
http://mail.solit.by/.well-known/acme-challenge/ZbsE3S-r5FPu3EkR4WzuZ6xdPeCruLvfGjDXr7RMPPs:
"
Error 404 Not Found <bo"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

but

telnet mail.solit.by 80

is successful

jmorahan · November 29, 2017, 1:46pm

Are you sure that /var/www/html is correct?

If you manually create a file at /var/www/html/.well-known/acme-challenge/test, can you access that file at http://mail.solit.by/.well-known/acme-challenge/test in a browser?

acckiydarik · November 29, 2017, 1:50pm

according to help, yes…

bytecamp · November 29, 2017, 3:38pm

Please place that file there and let us know, then anybody could check that.

system · December 29, 2017, 3:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.