Subdomain and Domain Alias on different servers

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kb.kastner.de

I ran this command: certbot --apache -d kb.kastner.de

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for kb.kastner.de
Performing the following challenges:
http-01 challenge for kb.kastner.de
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain kb.kastner.de
http-01 challenge for kb.kastner.de
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): Apache 2.4.54

The operating system my web server runs on is (include version): Debian 11

My hosting provider, if applicable, is: Selfhosting

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Servus Community,

I run a server here at one location that hosts only one website under a subdomain (kb.kastner.de). Other websites of the same domain are on other servers. Can the error in issuing the certificate be because the alias kastner.de is hosted on another server? Or do I have to look for the error somewhere else?

Thx & Bye Tom

2

If your server IP is:

then the problem is likely found within the Apache config.

To review that, start with the output of:
apachectl -t -D DUMP_VHOSTS

4 Likes
3 
# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   kb.kastner.de (/etc/apache2/sites-enabled/kb.kastner.de.conf:1)

Please note that the domain alias kastner.de is configured on another server. Isn't this the problem?

Thx & Bye Tom

1 Like
4

No, that name has nothing to do with a certificate authentication request for kb.kastner.de.

Was that the entire output?

If so, let's review this file:

3 Likes
5 
# cat /etc/apache2/sites-enabled/kb.kastner.de.conf 
<VirtualHost *:80>
  ServerAdmin edv@kastner.de
  ServerName kb.kastner.de
  ServerAlias kb.kastner.de
  DocumentRoot /var/www/kb.kastner.de/wordpress
  ErrorLog ${APACHE_LOG_DIR}/kb.kastner.de_error.log
  CustomLog ${APACHE_LOG_DIR}/kb.kastner.de_access.log combined
</VirtualHost>

First I tried it without the line ServerAlias because there is no alternative hostname, but it ends with the same result.

Thx & Bye Tom

6

You described your server as above in first post but I see Apache 2.4.41 (Ubuntu) in a "not found" error page. (also this version and Ubuntu in server response header)

Can you double check your server IP matches the DNS. What value this command show?

curl -4 http://ifconfig.co
3 Likes
7

I just found a misconfiguration there as well. The server is behind a NAT router and I have only mapped port 443 to the internal IP of the server. Port 80 from the same external IP points to another internal server, which I actually want to replace. I suspect the initial access for the server challenges is handled through port 80. I'm fixing this now and will get back to you in a minute...

Thx & Bye Tom

8

Yes, an HTTP challenge starts with a request to HTTP:// (port 80). You can redirect it but that's where it starts. The certbot apache plug-in relies on the http challenge (as opposed to a DNS challenge).

Fixing your NAT should resolve this

4 Likes
9

Fixing your NAT should resolve this

Yes, now it works. Thanks a lot and sorry for the noise :flushed:

Bye Tom

3 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.