Question regarding the actual TLS-SNI issue


#1

My domain is: sise-it.com

I ran this command: ./letsencrypt-auto; after that i selected my subdomain office.sise-it.com
I already do have the cert for the main Domain.

It produced this output: “Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.”

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 16.04 LTS

My hosting provider, if applicable, is: I have my own server at home and im using Dyndns A-Record with namecheap

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

My Question now is: Can i obtain a cert for my subdomain with any workaround? Or do i just have to wait for any bugfix? Is this a Problem of my Internet Provider or my Domain Provider, or even both?

Or is it even my fault? In the past i never had problems with this…


#2

Please see https://community.letsencrypt.org/t/tls-sni-challenges-disabled-for-most-new-issuance

Since this is for a sub-domain - do you use a different account key for the sub-domain than the domain ? can you use the domain account key to obtain the certificate for the domain & subdomain ?


#3

Do you mean the DynDNS update via ddclient? That shouldnt be a Problem because im updating sise-it.com via ddclient and “office.sise-it.com” is pointing on “sise-it.com” (CNAME Record)


#4

How can i implement the HTTP-01 or DNS-01 challenges?
I always used ./letsencrypt-auto to this point and this uses TLS-SNI automatically right?


#5

This thread explains what you can do with Certbot:

The next version of Certbot should work by default, using HTTP-01 with Apache.


#6

Ok, so i just need to wait for the next update, right…
Is ./letsencrypt-auto = certbot, or is that another method to obtain certs?
Im just asking this because the “certbot” command is not found on my machine. I tried to execute it while in /etc/letsencrypt


#7

Yes. The project was renamed from “letsencrypt” to “Certbot”, but letsencrypt-auto/certbot-auto operates, and automatically upgrades itself, regardless of what the program is named.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.