SOLVED: Tried to add a domain to existing certificate [docker run: forgot -p 443:443 -p 80:80 ]

I have a certificate already created:

Certificate Name: mail.sylvan.com
Domains: mail.sylvan.com,postfixadmin.sylvan.com,sylvan.com,webmail.sylvan.com,www.sylvan.com

I added spam.sylvan.com to my DNS, then went to add spam.sylvan.com:

certbot certonly --expand --standalone --agree-tos --rsa-key-size 4096 \
    -m postmaster@sylvan.com \
    -d mail.sylvan.com \
    -d postfixadmin.sylvan.com \
    -d sylvan.com \
    -d webmail.sylvan.com \
    -d www.sylvan.com \
     -d spam.sylvan.com

And I got this:

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mail.sylvan.com
tls-sni-01 challenge for postfixadmin.sylvan.com
tls-sni-01 challenge for sylvan.com
tls-sni-01 challenge for webmail.sylvan.com
tls-sni-01 challenge for www.sylvan.com
tls-sni-01 challenge for spam.sylvan.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. spam.sylvan.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to v
erify the domain :: Connection refused
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: spam.sylvan.com
   Type:   connection
   Detail: Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Tried again a couple of more times and then I see:

An unexpected error occurred:
There were too many requests of a given type :: Error creating new authz :: Too many invalid
authorizations recently.

I assume I’ve hit some rate limits. How do I add the one domain to this certificate?

Thanks!

Yes, but they tend to last only one hour.
So you can retry soon enough.

Just as you tried.

The problem is that port 443 was closed:

The --standalone method would normally start its own listener there, so perhaps there is a firewall blocking all such connections from the public, or you're not running this command directly on the 45.77.3.251 machine?

So --standalone was how I generated the certs to begin with.

I’m running the command directly on the machine. I stopped the running nginx and ran the command there.

I guess I will try again in an hour or two and report back if successful.

Thanks for the quick responses!

Did you leave nginx stopped? (ports 80 and 443 are still closed)
I see an active LE cert on port 25 (but it doesn't yet have the domain you wanted to add), so I can assume this is a mail server and maybe NOT also a webserver?
So does the nginx use ports 80 or 443?

It’s both a mailserver and web server. And yes, I left nginx stopped during the certbot run.

Have you tried again since then? Did you get the same kind of “Connection refused” failure? If so, could we see the log file from /var/log/letsencrypt?

Here is a gist with the log:

Anything else for me to try?

$ certbot --version
certbot 0.17.0

Solved. I’m an idiot.

Was using the letsencrypt docker container and did not include -p 80:80 and -p 443:443 in my arguments to docker run.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.