I am setting up VM for lets encrypt Domain certificate creation, creating san certificate, auto renewal. VM is in RHEL8 I need guidance to setup the environment
Thanks
Pradeep
2 Likes
I have installed certbort executing certificate creation command getting below error. Can you please help me in fixing the issue
certbot --nginx -d www.mytestredirect.unilever.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for www.mytestredirect.unilever.com
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: www.mytestredirect.unilever.com
Type: unauthorized
Detail: 2600:1418:a000:292::1a47: Invalid response from https://www.qtips.com/: "\n\n\n<!"
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Do you control unilever.com? Somehow I doubt it.
3 Likes
When you want to get a certificate for a particular domain you have two main ways to prove you "control" your domain/sudomain before a certificate will be issued:
- HTTP domain validation: this makes an HTTP (TCP port 80) request to the /.well-known/acme-challenge/ path on your domain and you ACME client (usually running on your web server) needs to provide the response.
- DNS domain validation: this involves an automated update to TXT record on your domain e.g. you would need to populate _acme-challenge.www.mytestredirect on the
unilever.comdomain DNS, typically for large organizations you won't have the necessary DNS control to do that, but you can arrange for a CNAME redirection to a zone you do control or to a challenge response DNS service (there are free and commercial options for that).
In your above example you go the response:
Domain: www.mytestredirect.unilever.com
Type: unauthorized
Detail: 2600:1418:a000:292::1a47: Invalid response from https://www.qtips.com/: "\n\n\n
This means your domain (when accessing via IPv6) redirected to www.qtips.com, which might be correct, but that domain is served by various akamai edge CDN infrastructure and it's unlikely that your server will be reachable via that.
Assuming you work for unilever you will need to speak to your internal networking or PKI team as I'd be fairly confident an organisation of that size is already managing their certificate/PKI in a formal way.
3 Likes
Thank you,
We don't have webserver to perform the HTTP domain validation.
I have created two DNS in Azure DNS redirecttest.unilever.com and redirecttest1.unilever.com generate multidomain (SAN) certificates .
it will expire after 90days during renewal again I need create a new TXT with value or shall I use existing value for the Domain validation
If I am going to http validation Do I need to create webserver for each domain or with help of one webserver I can do the renewal and domain creation.
Thanks
Pradeep
I checked earlier today and saw an nginx server performing the HTTP -> HTTPS redirect. So, why couldn't you use that to satisfy the challenge?
Although, currently nothing replies to requests to either of your redirectest subdomains.
Every challenge has a unique TXT value.
A single web server can manage numerous domain names. Nginx does this with "server blocks". Apache with "VirtualHosts". Refer to their respective docs. This is very basic and common server configuration.
You can use HTTP Challenge as long as the web server replies correctly to requests for the domain requested.
2 Likes
Thanks, I can see:
_acme-challenge.redirecttest.unilever.com. 300 IN TXT "hzbPfDfo6FiCbCdJYc9XSFmVUHCznOl6ZWzvN0b7VN4"
You will need to generate new values every time you renew the certificate, yes.
If you have API access to the Azure DNS you can configure DNS validation to work automatically. You have the option of creating an auth subdomain zone in Azure DNS (e.g. acme-auth.unilever.com) and CNAME your real _acme-challenge records to that (e.g. _acme-challenge.redirecttest.unilever.com CNAME to _acme-challenge.redirecttest.acme-auth.unilever.com, so that your updates via the DNS API only have to update that zone and API credentials can only affect that zone. How that's configured depends on the ACME client you are using.
If your actual aim is to just setup domain redirections with https you could use Azure Application Gateway to do that without setting up any new webservers.
2 Likes