(Solved) Cant create cert for sub domain

Please fill out the fields below so we can help you better.

My domain is: unifi.fait-group.ru

I ran this command: certbot certonly --agree-tos --rsa-key-size 4096 -m ivoryblade@me.com -d unifi.fait-group.ru --renew-by-default

It produced this output: Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for unifi.fait-group.ru
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. unifi.fait-group.ru (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested f4befb1a715ae029e9b63eb6cc3d071a.1b8b63713a5367cfd829a4d4f2e703c6.acme.invalid from [2a03:6f00:1::2]:443. Received 3 certificate(s), first certificate had names “*.timeweb.ru, timeweb.ru”

My web server is (include version): none. I request cert for unifi controller

The operating system my web server runs on is (include version): Ubuntu 14.04

My hosting provider, if applicable, is: timeweb.ru

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @ivoryblade,

Your machine consistently shows extremely different behavior when accessed via IPv4 and IPv6. This is probably the underlying reason for this failure. For example, it seems to drop HTTP connections in IPv4 but accept them in IPv6, and give two different kinds of certificate errors for HTTPS connections in IPv4 and IPv6.

Before trying to get a certificate, you should ensure that the configuration of this machine for IPv4 and IPv6 is correct and basically equivalent, or else remove the DNS AAAA record to stop advertising IPv6 connections.

Thank you! I cleaned AAAA record and successfully received certificate!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.