Starting point / example Apache VHOST configuration

fulldecent · June 1, 2017, 5:50pm

My operating system is (include version):

CentOS 7

I installed Certbot with (certbot-auto, OS package manager, pip, etc):

Using

yum -y install yum-utils
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
sudo yum install python-certbot-apache

I ran this command and it produced this output:

certbot

No vhost exists with servername or alias of: lms.acls.net (or it's in a file with multiple vhosts, which Certbot can't parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
Falling back to default vhost *:443...

Certbot's behavior differed from what I expected because:

I had set up my Apache VHOSTs using http://justcurl.com/ because that's what Rackspace uses by default. Certbot does not like that format. I do not care about which format I use and I will set up my server differently if it makes certbot run easier.

Would the certbot project please provide a few example recommended VHOST configuration blocks?

Please note, Apache's official documentation includes all kinds of examples set ups at VirtualHost Examples - Apache HTTP Server Version 2.4 none of these have HTTPS. It is a joke.

Osiris · June 1, 2017, 7:11pm

I’m not familiar with justcurl.com, but I like the general idea!

I’m trying to quickly “parse” the output of the site without actually running the script itself… As far as I can tell, it generates just one virtualhost per file. It also puts it in the correct location.

Could you run certbot with the -v option and paste the entire output of it?

fulldecent · June 6, 2017, 4:14pm

Here it is. I hope this is not sensitive information.

[root@mts2016 ~]# certbot -v
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot version: 0.12.0
Arguments: ['-v']
Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
Requested authenticator None and installer None
Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x320e610>
Prep: True
Selected authenticator <certbot_apache.configurator.ApacheConfigurator object at 0x320e610> and installer <certbot_apache.configurator.ApacheConfigurator object at 0x320e610>
Picked account: <Account(1389021fddbd3fcb4f14f8fdad1eb030)>
Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
"GET /directory HTTP/1.1" 200 352
Received response:
HTTP 200
content-length: 352
expires: Tue, 06 Jun 2017 03:33:57 GMT
boulder-request-id: ZLnSOKdfjQESJ_sUMpSdaBpKPpOJ9BfMM4CcEZrkuFQ
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 06 Jun 2017 03:33:57 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: rp5roP1j8ZnsIfqA_1VEAY3bbOvC44bccSiK_EN19HU

{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel):acls.net
Obtaining a new certificate
Requesting fresh nonce
Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
"HEAD /acme/new-authz HTTP/1.1" 405 0
Received response:
HTTP 405
content-length: 91
pragma: no-cache
boulder-request-id: u5A_c1o4Cs7Hl4QIc5Ve07e2lzxgHqMIis7c0_8LdOo
expires: Tue, 06 Jun 2017 03:34:04 GMT
server: nginx
connection: keep-alive
allow: POST
cache-control: max-age=0, no-cache, no-store
date: Tue, 06 Jun 2017 03:34:04 GMT
content-type: application/problem+json
replay-nonce: oo0vD2fOdI0_pzXtlPYxhuRGyYs0ZwhaUveisv73l54


Storing nonce: oo0vD2fOdI0_pzXtlPYxhuRGyYs0ZwhaUveisv73l54
JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "acls.net"
  }, 
  "resource": "new-authz"
}
Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "1YPK2z1Nucx0_aG5u39L1zCoE9qSZ4lVp1rV92QzyCiWW2scOy4HyFCRSmSrRCfbwqqmuQ8BnXe1c13xT2zl3z2LqBnG33ZR9anPnVRzg_QNevY6ys26wAf-Wmo8Rx4LfktdWNrIxr5x5hs19nfhYNE4ZbXmXikoXkIBKHCL93CTL-wcaNz7c7tZQ6BYJ5JCxaTdqTPw4nG3_218gSk0wiSuYZOlrQ7eANc2A6oNUWbr5h9vZPVKzoVCnRMxjoAgRBpipEDxr-O9QTBmi-ppHINg7Za0bApQ8HMFlH844bwezB_41tcihcNcUOaGyRolkRKF45cWSIUKu7WB1dSrRQ"
    }
  }, 
  "protected": "eyJub25jZSI6ICJvbzB2RDJmT2RJMF9welh0bFBZeGh1Ukd5WXMwWndoYVV2ZWlzdjczbDU0In0", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiYWNscy5uZXQiCiAgfSwgCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiIKfQ", 
  "signature": "I6Uws6ZfQV570Zbj7y89r0_4IorH_iWRp8Kv8lqoX0rsU_QWgkucAIhngdQHUPPw3_k3vuUVMyzJ4bzYOh46vQ6kuRH_3ff0_9ywABHssK46hZVC_VrC7Vxxrew2mpUmqWxEVlcMVP-wE_VOaVX4-bExjxRVhB9ie5mPD-56ii--CVdFwG0Muq-FwlrcnaYmewRtY5LVsK20uCPeICiAlwaUNkSgYIo5sF7XWvAvv5ipgSyPgcQ1cW-WBUVUf3yBh3Kef_NMeW3fMHdSVg5aU4rTkR1gAZMFV4ajVrDiDAScQb5bwokcd4949czaPQz2G0zxxLpxzXrl9H2p1QSnqQ"
}
"POST /acme/new-authz HTTP/1.1" 201 996
Received response:
HTTP 201
content-length: 996
expires: Tue, 06 Jun 2017 03:34:04 GMT
boulder-request-id: btv0Cmewj7-6USwKTfDyMV5SXindHx19Q_mfcje3KG8
strict-transport-security: max-age=604800
server: nginx
cache-control: max-age=0, no-cache, no-store
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
location: https://acme-v01.api.letsencrypt.org/acme/authz/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw
pragma: no-cache
boulder-requester: 6566502
date: Tue, 06 Jun 2017 03:34:04 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: stAoiLU2QYhK4Jj9pNe4oDlnxxACcrsBimMcHbj5oC8

{
  "identifier": {
    "type": "dns",
    "value": "acls.net"
  },
  "status": "pending",
  "expires": "2017-06-13T03:34:04.847267975Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436751",
      "token": "t0VpN4G55Xh-68uHqtwN9cA-PPom0UKZvpHjnQjOH0c"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436752",
      "token": "PbqbA_Ff1h4TF5S-5WkkmbBTJGecpzSOOgNBDIpUUgI"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436754",
      "token": "3SVl7U8bkHNkyQywHDP2xEXrWcmq8tZoih4cWEYGo2Q"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      2
    ],
    [
      0
    ]
  ]
}
Storing nonce: stAoiLU2QYhK4Jj9pNe4oDlnxxACcrsBimMcHbj5oC8
Performing the following challenges:
tls-sni-01 challenge for acls.net
No vhost exists with servername or alias of: acls.net (or it's in a file with multiple vhosts, which Certbot can't parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
Falling back to default vhost *:443...
Adding Include /etc/httpd/conf.d/le_tls_sni_01_cert_challenge.conf to /files/etc/httpd/conf/httpd.conf
writing a config file with text:
 <IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName 48a771cebcbe908c38e52fe1afe343c9.dffbbaea32cf637545467e7af37940bb.acme.invalid
    UseCanonicalName on
    SSLStrictSNIVHostCheck on

    LimitRequestBody 1048576

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /var/lib/letsencrypt/3SVl7U8bkHNkyQywHDP2xEXrWcmq8tZoih4cWEYGo2Q.crt
    SSLCertificateKeyFile /var/lib/letsencrypt/3SVl7U8bkHNkyQywHDP2xEXrWcmq8tZoih4cWEYGo2Q.pem

    DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/
</VirtualHost>

</IfModule>

Creating backup of /etc/httpd/conf/httpd.conf
Waiting for verification...
JWS payload:
{
  "keyAuthorization": "3SVl7U8bkHNkyQywHDP2xEXrWcmq8tZoih4cWEYGo2Q.u1UgyK2zkJJ6TWezNlOdiki4X1LDKbzXGk5YdQin1K0", 
  "type": "tls-sni-01", 
  "resource": "challenge"
}
Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436754:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "1YPK2z1Nucx0_aG5u39L1zCoE9qSZ4lVp1rV92QzyCiWW2scOy4HyFCRSmSrRCfbwqqmuQ8BnXe1c13xT2zl3z2LqBnG33ZR9anPnVRzg_QNevY6ys26wAf-Wmo8Rx4LfktdWNrIxr5x5hs19nfhYNE4ZbXmXikoXkIBKHCL93CTL-wcaNz7c7tZQ6BYJ5JCxaTdqTPw4nG3_218gSk0wiSuYZOlrQ7eANc2A6oNUWbr5h9vZPVKzoVCnRMxjoAgRBpipEDxr-O9QTBmi-ppHINg7Za0bApQ8HMFlH844bwezB_41tcihcNcUOaGyRolkRKF45cWSIUKu7WB1dSrRQ"
    }
  }, 
  "protected": "eyJub25jZSI6ICJzdEFvaUxVMlFZaEs0Smo5cE5lNG9EbG54eEFDY3JzQmltTWNIYmo1b0M4In0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIjNTVmw3VThia0hOa3lReXdIRFAyeEVYcldjbXE4dFpvaWg0Y1dFWUdvMlEudTFVZ3lLMnprSko2VFdlek5sT2Rpa2k0WDFMREtielhHazVZZFFpbjFLMCIsIAogICJ0eXBlIjogInRscy1zbmktMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "xNu0Qtfyit__t0ag9SUJYQaF5nE8BMUN_mI6IBRUkhutjG2QBuaCKttnzaxJEVkiq6uoqA5YFldkPjDsNGWs0NmCl3f-tz6CouKi2zylUGHPp4wdav1E7rMeyvAXhnH0_maZLs8FQJDWYC-HEk4SaVcV8NP97zABdjkZN0SDActuUW77EcqD07YbUlYfvHNtT3klC7BCJsAJ-c8CH8pBxNN6CaPVhDcGOOAOgFUEPcXDx4jR3Cjrqu70_UHaoT9V352hX9YnFbxUqzakvkn5KpdVNPw6ct3KUBDtX5XVjw2gizqcTkgOPHR_oVfN7heUtTXFVOUcsmYzHUMK8fjfYg"
}
"POST /acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436754 HTTP/1.1" 202 339
Received response:
HTTP 202
content-length: 339
boulder-request-id: bSYEkE_V1UbZ899P3OxMisDYMabU7sS1BVrbU5kVmIE
expires: Tue, 06 Jun 2017 03:34:08 GMT
server: nginx
cache-control: max-age=0, no-cache, no-store
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/authz/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw>;rel="up"
location: https://acme-v01.api.letsencrypt.org/acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436754
pragma: no-cache
boulder-requester: 6566502
date: Tue, 06 Jun 2017 03:34:08 GMT
content-type: application/json
replay-nonce: t-MzQqE1iFCbvHboXGvRRjL98sFZ6Tff40KF0XNeydo

{
  "type": "tls-sni-01",
  "status": "pending",
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436754",
  "token": "3SVl7U8bkHNkyQywHDP2xEXrWcmq8tZoih4cWEYGo2Q",
  "keyAuthorization": "3SVl7U8bkHNkyQywHDP2xEXrWcmq8tZoih4cWEYGo2Q.u1UgyK2zkJJ6TWezNlOdiki4X1LDKbzXGk5YdQin1K0"
}
Storing nonce: t-MzQqE1iFCbvHboXGvRRjL98sFZ6Tff40KF0XNeydo
Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw.
"GET /acme/authz/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw HTTP/1.1" 200 1103
Received response:
HTTP 200
content-length: 1103
expires: Tue, 06 Jun 2017 03:34:11 GMT
boulder-request-id: JY6c75Ou5g1LJxHQCU5oA_lWepLEGxVo5lalDt4aKiA
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 06 Jun 2017 03:34:11 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0xnF54E81EQ4V0HgCB63NcFXwBbN7gH85PzUqGkWMvI

{
  "identifier": {
    "type": "dns",
    "value": "acls.net"
  },
  "status": "pending",
  "expires": "2017-06-13T03:34:04Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436751",
      "token": "t0VpN4G55Xh-68uHqtwN9cA-PPom0UKZvpHjnQjOH0c"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436752",
      "token": "PbqbA_Ff1h4TF5S-5WkkmbBTJGecpzSOOgNBDIpUUgI"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436754",
      "token": "3SVl7U8bkHNkyQywHDP2xEXrWcmq8tZoih4cWEYGo2Q",
      "keyAuthorization": "3SVl7U8bkHNkyQywHDP2xEXrWcmq8tZoih4cWEYGo2Q.u1UgyK2zkJJ6TWezNlOdiki4X1LDKbzXGk5YdQin1K0"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      2
    ],
    [
      0
    ]
  ]
}
Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw.
"GET /acme/authz/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw HTTP/1.1" 200 1739
Received response:
HTTP 200
content-length: 1739
expires: Tue, 06 Jun 2017 03:34:14 GMT
boulder-request-id: HD8fWE-nVKvrzquT_uhQAq4L2IHK9EXvzQNbdBmBi9s
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 06 Jun 2017 03:34:14 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: U2oPiCcbTQks5hyE5_IT08UiJipuKUZVT5vIY4CVZ1M

{
  "identifier": {
    "type": "dns",
    "value": "acls.net"
  },
  "status": "invalid",
  "expires": "2017-06-13T03:34:04Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436751",
      "token": "t0VpN4G55Xh-68uHqtwN9cA-PPom0UKZvpHjnQjOH0c"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436752",
      "token": "PbqbA_Ff1h4TF5S-5WkkmbBTJGecpzSOOgNBDIpUUgI"
    },
    {
      "type": "tls-sni-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "Incorrect validation certificate for tls-sni-01 challenge. Requested 48a771cebcbe908c38e52fe1afe343c9.dffbbaea32cf637545467e7af37940bb.acme.invalid from 23.253.102.249:443. Received 2 certificate(s), first certificate had names \"acls.net, www.acls.net\"",
        "status": 403
      },
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/jDXhTqt-qU3WvFUUV4516LSucw6ENv_Wv74T7GD04Gw/1287436754",
      "token": "3SVl7U8bkHNkyQywHDP2xEXrWcmq8tZoih4cWEYGo2Q",
      "keyAuthorization": "3SVl7U8bkHNkyQywHDP2xEXrWcmq8tZoih4cWEYGo2Q.u1UgyK2zkJJ6TWezNlOdiki4X1LDKbzXGk5YdQin1K0",
      "validationRecord": [
        {
          "hostname": "acls.net",
          "port": "443",
          "addressesResolved": [
            "23.253.102.249"
          ],
          "addressUsed": "23.253.102.249",
          "addressesTried": []
        }
      ]
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      2
    ],
    [
      0
    ]
  ]
}
Reporting to user: The following errors were reported by the server:

Domain: acls.net
Type:   unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested 48a771cebcbe908c38e52fe1afe343c9.dffbbaea32cf637545467e7af37940bb.acme.invalid from 23.253.102.249:443. Received 2 certificate(s), first certificate had names "acls.net, www.acls.net"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.12.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 896, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 607, in run
    certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 92, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 294, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 265, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 77, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 134, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 198, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. acls.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 48a771cebcbe908c38e52fe1afe343c9.dffbbaea32cf637545467e7af37940bb.acme.invalid from 23.253.102.249:443. Received 2 certificate(s), first certificate had names "acls.net, www.acls.net"

Failed authorization procedure. acls.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 48a771cebcbe908c38e52fe1afe343c9.dffbbaea32cf637545467e7af37940bb.acme.invalid from 23.253.102.249:443. Received 2 certificate(s), first certificate had names "acls.net, www.acls.net"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: acls.net
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   48a771cebcbe908c38e52fe1afe343c9.dffbbaea32cf637545467e7af37940bb.acme.invalid
   from 23.253.102.249:443. Received 2 certificate(s), first
   certificate had names "acls.net, www.acls.net"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
[root@mts2016 ~]#

system · July 6, 2017, 4:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Must vhost config files be separate for Certbot? Help	5	1156	July 30, 2018
Problem installing LE with Certbot on Centos7/Apache -> Vhosts issue? Help	2	1031	July 22, 2017
Certbot Apache Plugin Not Installing and Configuring VHOST files as Expected Help	11	2479	April 27, 2017
Missing certbot-auto Server	6	4602	March 18, 2017
Cerbot unable to find ServerNames on Apache Due to Multiple VHOSTS in Config File Help	3	6524	July 14, 2016

Starting point / example Apache VHOST configuration

My operating system is (include version):

I installed Certbot with (certbot-auto, OS package manager, pip, etc):

I ran this command and it produced this output:

Certbot's behavior differed from what I expected because:

Related topics