I have domain example.com I have two physical servers.They include two dns servers and two proxy servers. DNS configs are the same with proper IP’s. When I request new certificate on new proxy server then let’s encrypt check http://… .well-known/acme-challenge at second, old IP server. Ofcourse it’s fail. How to redirect request let’s encrypt to new site with proper IP
Hi @gongarek
then your configuration is wrong. Letsencrypt follows your dns settings.
What's your domain name?
Let’s Encrypt will check any server that’s listed in the DNS records. But it will also follow HTTP redirects, so one option is to create a new subdomain like validation.example.com that only points to one instance (the one where you want to request the certificates). Then you can make both servers send an HTTP redirect for anything under http://www.example.com/.well-known/acme-challenge/ to the corresponding resource at http://validation.example.com/.well-known/acme-challenge/ so Let’s Encrypt will follow that redirect and request the challenge token from the indicated server.
1 Like
My domain is bluedental.pl
There is only one public IP address visible. I had expected, there are two different ip addresses ( https://check-your-website.server-daten.de/?q=bluedental.pl ).
| Host | T | IP-Address | is auth. | ∑ Queries | ∑ Timeout |
|---|---|---|---|---|---|
| bluedental.pl | A | 37.190.144.15 Warsaw/Mazovia/Poland (PL) - MMP Hostname: host-37-190-144-15.dynamic.mm.pl | yes | 1 | 0 |
| AAAA | yes | ||||
| www.bluedental.pl | A | 37.190.144.15 Warsaw/Mazovia/Poland (PL) - MMP Hostname: host-37-190-144-15.dynamic.mm.pl | yes | 1 | 0 |
| AAAA | yes |
But if you use only one external ip address, you must have an internal instance that says:
Request 1 -> Server 1
Request 2 -> Server 2
So you should modify that internal instance. If the request starts with /.well-known/acme-challenge, always the same server is used.
PS: You use the same server as your authoritative name server. But such a server must support dns over TCP / port 53. Your tcp port 53 is blocked. That's bad.
I have two external IP, but I was configuring my dns servers when You check the domain. That’s why You see only one IP. So I should have output on https://check-your-website.server-daten.de/ something like this:
bluedental.pl 37.190.144.15
37.190.144.3
www.bluedental.pl 37.190.144.15
37.190.144.3
Is it correct?
Next question. How should zone file look like on both servers?
TTL 86400
@ IN SOA (2017121413 10800 604800 10800 )
@ IN NS ns1.bluedental.pl
@ IN NS ns2.bluedental.pl
ns1 IN A 37.190.144.3
ns2 IN A 37.190.144.15
@ IN A 37.190.144.15
www IN A 37.190.144.15
@ IN A 37.190.144.3
www IN A 37.190.144.15
What’s wrong with that configuration?
Then recheck the domain to see, if your new configuration is visible.
As You can see this configs not work as I supposed
That maybe more a problem of my tool. I have to find a solution querying the raw dns NS result which sends additional ip addresses of the name servers with the same domain name.
But if you have two different public ip addresses then use the solution of @schoen :
Add an additional subdomain (perhaps challenge.bluedental.pl), then add redirects
http://bluedental.pl/.well-known/acme-challenge/random-filename -> challenge.bluedental.pl/.well-known/acme-challenge/random-filename
same with your www version, then run certbot with the challenge.bluedental.pl - webroot.
1 Like
Where should I add these redirects? bluedental.pl or validation.bluedental.pl nginx configuration file?
rewrite http://bluedental.pl/.well-known/acme-challenge/( .* ) validation.bluedental.pl/.well-known/acme-challenge/( .* );
rewrite http://www.bluedental.pl/.well-known/acme-challenge/( .* ) validation.bluedental.pl/.well-known/acme-challenge/( .* );
Should I use certbot command with validation.bluedental.pl, bluedental.pl and www.bluedental.pl?
Command with certbot:
certbot certonly --webroot -w /var/www/html -d validation.bluedental.pl
I tryied many configurations on different domains too and I always get Certificate error: RemoteCertificateNameMismatch
I am sorry for my silly questions. I am newbie . This is my first time when I am working with certificates. Thanks for patience 
The source vHost needs that redirect, not the destination vHost.
If you use such a redirect to another domain, Certbot must be able to write the destination directory in validation.babyprinter.com. So use that webroot.
You want a certificate with bluedental, so you have to add these domain names. If you create a certificate with validation, triple-check there is no loop validation -> validation.
First of all, please get acquainted with my previous post. I made a few mistakes with domain names. I edited previous post. Now everything looks correctly. I didn't check my previous post carefully.
I am not sure what mean source vHost. I guess it is validation.bluedental.pl, because we will get certificate from this subdomain. But on the other hand, source vHost could be bluedental.pl, because from bluedental.pl domain we request the certificate to validation.bluedental.pl subdomain.
So what source vHost is? 
A redirect has a source and a destination.
The destination knows nothing about the source.
But the source must send a http status 301 / 302 with the redirect destination.
-->> you have to add the redirect rule in your source vHost, not in the destination.
1 Like
I don't understand these bold sentences.
Can You write it more clear? 
Webroot is plugin. Must I use --webroot? Can I use nginx plugin? I will have problem with --webroot-path because whole site content files are in docker container. I am using:
location / {
proxy_pass " http://localip:port_to_container";
}
If you use a redirect to another domain, you can't use the nginx authenticator. That tries to modify the original domain, not the destination of your redirect.
Then don't use docker. Why do you need that if you have a new subdomain only to validate the domain names? Makes things too complicated.
It could still potentially work depending on how the redirect is configured, because the nginx plugin will hope to ignore the redirect when satisfying the challenges. However, there are certainly ways of configuring things where the nginx authenticator would not be able to do this.
1 Like
Yes, if there is only one configuration file that must be modified.
But the setup with these two different ip addresses and the problem, that Letsencrypt selects the "wrong server":
Sounds, there are two webserver / two config files.
But @gongarek : Why are these two ip addresses not consistent?
1 Like
I have two webservers and two config files. two routers and two modems. I wanted have two IP for being absolutelly independ. Just for that.
My dns config file on server 1 is:
...
@ IN NS ns1.bluedental.pl.
@ IN NS ns2.bluedental.pl.
ns1 IN A 37.190.144.3
ns2 IN A 37.190.144.15
@ IN A 37.190.144.3
www IN A 37.190.144.3
...
My dns config file on server 2 is:
...
@ IN NS ns1.bluedental.pl.
@ IN NS ns2.bluedental.pl.
ns1 IN A 37.190.144.3
ns2 IN A 37.190.144.15
@ IN A 37.190.144.15
www IN A 37.190.144.15
...
True
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.