[Solved] Certificates from virtual machines?


#1

Please fill out the fields below so we can help you better.

My domain is:
inicio.taoapp.co

I ran this command:
./certbot-auto certonly --standalone --email aplicaciones2@osgroup.co -d inicio.taoapp.co

It produced this output:
Failed authorization procedure. inicio.taoapp.co (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 190.0.20.74:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: inicio.taoapp.co
   Type:   connection
   Detail: Failed to connect to 190.0.20.74:443 for TLS-SNI-01
   challenge

My operating system is (include version):
Centos 6.7

My web server is (include version):
Not applicable, using standalone version.

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

I’m running the command from a VM, my theory is that since we’re using virtualization software to provide different apps in isolated envs and exposing them in different ports of the domain (say port 3000 as an example has app A and 4000 has app B), based on the output i think some app or service in host has port 443 in use.


#2

Yes, the short answer is that externally you can’t reach 190.0.20.74:443 on your VM, which is required to use that method of proof of ownership. You either need to ensure all the port forwarding is in place to be able to reach port 443 on the VM, or possibly use the DNS-01 challenge.


#3

Those VM’s are port fowarding to each VM with Fortigate, so i need to tell the fortigate to expose port 80 and 443 to that specific VM and then generate the certificate, right?

So i need to expose port 80 and 443 in the VM to the outside world or just bind the ports 80 and 443 of the public domain to the VM’s random ports and tell the certbot-auto to use those ports?


#4

certbot will only use port 80 or 443 ( 443 if using the tls-sni-01 challenge). so yes, you need to expose port 80 and 443 in the VM to the outside world.

correct.


#5

If all VM’s just serve their app as a random port of the public domain, and i want the domain itself to have the ssl certificate, basically serving up all apps over https, can i just generate 1 certificate and copy it over each VM since the public domain is the same?


#6

if it’s the same domain name, then yes, you can copy the cert over to the various VM’s


#7

But they would have to be served in different ports, are ssl certificates port agnostic? (say i enable VM3 with port 3000 and provide it the cert, will it still work as https)?

I promise this is the last questio :stuck_out_tongue:


#8

Yes, the certificate is for the domain not for specific ports, so it will work fine on other ports.


#9

@serverco Man tanks, i’ll let you know if i succeed in the task.

:slight_smile: :thumbsup:


#10

It works, thanks, last question, does it have to run from the server that is behind the domain?


#11

If you are using certbot - yes.

If you are using some of the alternative clients then no ( getssl one of the bash clients is designed to be run on a server remote to the domain itself )


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.