The server offered 'http-01 dns-01' and available for this MD are: 'tls-sni-01'


#1

Hello all,

I am new to the community so perhaps I will have a noobish question.
Anyway, I am very interrested to use Let’s Encrypt CA to get a cert for my domain www.krumpac.net.

I am using PPA of Mr. Sury to get mod_md working with an Apache 2.4 (https://launchpad.net/~ondrej/+archive/ubuntu/apache2).

Here is a samle of the apache2 site config:
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDomain www.krumpac.net krumpac.net

<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName www.krumpac.net
ServerAlias krumpac.net
Protocols h2 http/1.1
SSLEngine on
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

When I start an apache service, i get following messages:
[Wed Jan 10 19:01:11.331333 2018] [ssl:warn] [pid 3025] AH: Init: www.krumpac.net:443 will respond with ‘503 Service Unavailable’ for now. This host is part of a Managed Domain, but no SSL certificate is available (yet).
[Wed Jan 10 19:01:11.366155 2018] [md:info] [pid 3029] AH10071: mod_md (v1.1.1-git), initializing…
[Wed Jan 10 19:01:11.401844 2018] [ssl:warn] [pid 3029] AH: Init: www.krumpac.net:443 will respond with ‘503 Service Unavailable’ for now. This host is part of a Managed Domain, but no SSL certificate is available (yet).
[Wed Jan 10 19:01:11.408081 2018] [mpm_prefork:notice] [pid 3029] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.0g configured – resuming normal operations
[Wed Jan 10 19:01:11.408141 2018] [core:notice] [pid 3029] AH00094: Command line: ‘/usr/sbin/apache2’
[Wed Jan 10 19:01:11.934713 2018] [md:info] [pid 3051] krumpac.net: setup staging
[Wed Jan 10 19:01:11.935198 2018] [md:info] [pid 3051] krumpac.net: need certificate
[Wed Jan 10 19:01:14.081855 2018] [md:info] [pid 3051] registered new account https://acme-staging.api.letsencrypt.org/acme/reg/5369167
[Wed Jan 10 19:01:14.085141 2018] [md:info] [pid 3051] krumpac.net: check Terms-of-Service agreement
[Wed Jan 10 19:01:14.085172 2018] [md:info] [pid 3051] krumpac.net: setup new authorization
[Wed Jan 10 19:01:15.877048 2018] [md:info] [pid 3051] krumpac.net: setup new challenges
[Wed Jan 10 19:01:16.219308 2018] [md:warn] [pid 3051] (22)Invalid argument: krumpac.net: the server offers no ACME challenge that is configured for this MD. The server offered ‘dns-01 http-01’ and available for this MD are: ‘tls-sni-01’ (via https://acme-staging.api.letsencrypt.org/acme/authz/3xeiLqMq0cMLsdfqeT820TZ8-aT6BS1UgVlhhw_YbjI).
[Wed Jan 10 19:01:16.219462 2018] [md:error] [pid 3051] (22)Invalid argument: AH10056: processing krumpac.net
[Wed Jan 10 19:01:16.219553 2018] [md:info] [pid 3051] AH10057: krumpac.net: encountered error for the 19. time, next run in 1:00:00 hours

Is it because of a current security issue “tls-sni challenge disabled” and no one can get a new certificate?
Or do I have some mistake in the config?

Thanks a lot for some assistance!

P. S.: Sorry for my low english abilities…


#2

Hi @Rathanuviel,

MD only supports tls-sni-01 challenge but this challenge has been temporarily disabled due to a security issue that is being worked on… it should be available tomorrow or so.

Take a look to this post for more info 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

Edit:

I didn’t see that you already pointed to the security issue, sorry. And yes it is because the security issue that you can’t get your certificate using MD.

Cheers,
sahsanu


#3

Thanks a lot sahsanu! It’s good to know I am not such a noob I thought before °,°

R.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.