Try to get certificate for my mail server but failed


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: me-n-you.com

I ran this command: letsencrypt certonly --standalone -d me-n-you.com

It produced this output:
Failed authorization procedure. me-n-you.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://me-n-you.com/.well-known/acme-challenge/BHxBvvqTYJoYZQHCMAoAfQZ6JrWTT4AMvvTEyyIIkCs: "<meta name=“viewport” content=“width=device-width, initial-scale=1, s”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: me-n-you.com
    Type: unauthorized
    Detail: Invalid response from http://me-n-you.com/.well-known/acme-
    challenge/BHxBvvqTYJoYZQHCMAoAfQZ6JrWTT4AMvvTEyyIIkCs: "<meta
    name=“viewport” content=“width=device-width, initial-scale=1, s”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
www.me-n-you.com (node.js 8.11.1 on aws)

The operating system my web server runs on is (include version):
ubuntu 16.04 on aws

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): AWS

More Info:
I am using aws. The DNS is AWS route 53.
My web application is on www.me-n-you.com. My mail server is on mail.me-n-you.com. They are on different hosts.

I am trying to get certificates for my mail server following https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/.

Thanks for your help.
Richard Xu


#2

It looks like you’re running Certbot on your web server rather than on your mail server. But to obtain a certificate for your mail server, you should run Certbot directly on the mail server.

If you plan to always have Apache running on that system (as it currently is), you might want to try certbot --apache instead of certbot --standalone (the letsencrypt program was renamed to certbot two years ago). If you do want to use --standalone, you’ll need to stop Apache whenever you obtain or renew the certificate (which can be automated with --pre-hook and --post-hook options), because a running Apache would conflict with --standalone.

A certificate obtained using --apache can still be used by Postfix.


#3

Thanks for your reply.

My ubuntu version is 16.04. I tried to install certbot but failed:

$ sudo apt-get update
Hit:1 http://us-west-2.ec2.archive.ubuntu.com/ubuntu xenial InRelease
Get:2 http://us-west-2.ec2.archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
Get:3 http://us-west-2.ec2.archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]
Get:4 http://security.ubuntu.com/ubuntu xenial-security InRelease [107 kB]
Fetched 323 kB in 0s (650 kB/s)
Reading package lists… Done

$ sudo apt-get install certbot python-certbot-apache
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package certbot
E: Unable to locate package python-certbot-apache

any suggestion? Thanks.

Richard Xu


#4

So, your existing letsencrypt command will already support these options, and you might not need to upgrade it (although it may have some bugs or missing functionality compared to later versions). You could try using letsencrypt instead of certbot; I didn’t specifically mean to suggest that you had to upgrade to a new version of the client application.

If you do want to get a current version of Certbot on 16.04, we recommend using the PPA, as described in


#5

Thank you very much.
I have removed the letsencrypt since it doesn’t have the certbot command.
and I have successfully installed certbot using PPA.

However, when I tried to get certificates, It still failed.
certbot run --apache -d me-n-you.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for me-n-you.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. me-n-you.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://me-n-you.com/.well-known/acme-challenge/phgbCV47O9CZHLto_5EWuH_JkC0_5NVtEa-RmjSMvXo: "<meta name=“viewport” content=“width=device-width, initial-scale=1, s”

IMPORTANT NOTES:

Same for remove the -d me-n-you.com option. It asked me to enter my domain and get failed too.

Richard


#6

Which server are you running Certbot on for this request?


#7

Ubuntu 16.04 on aws

cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION=“Ubuntu 16.04.4 LTS”


#8

Sorry, I don’t mean the OS version, I mean what’s the server name? The error you saw is characteristic of running Certbot on a server that doesn’t actually serve the site for which you’re requesting the certificate.


#9

hostname

ip-172-31-29-250

This is an AWS ec2 instance. I have aws route 53 (DNS) using mail.me-n-you.com point to this host.

The public ip address is 34.209.16.38

Richard Xu


#10

But you’re most recently trying to get a certificate for me-n-you.com, not mail.me-n-you.com. The name me-n-you.com points to a different server, 54.245.151.14, which is presumably a different AWS instance.

In order to get a certificate for me-n-you.com, you should run Certbot on the 54.245.151.14 instance. In order to get a certificate for mail.me-n-you.com, you should run Certbot on the 34.209.16.38 instance. In each case, you would specify the name that the certificate should apply to with the -d option.


#11

Yes, you are right.
I have told you this in my previous post that I have 2 aws instances.
So the -d option is not for domain, it is for the server name. Please correct me if I am wrong.

So the correct command I should run is:
certbot run -apache -d mail.me-n-you.com

Richard Xu


#12

Sorry, we often use the term “domain name” informally to mean the complete DNS name that will be listed in the certificate. I realize that this isn’t necessarily the most precise use of terminology. (In PKI terminology it might better be described as a “subject name” and in DNS terminology as a “fully-qualified domain name”.)

But indeed, you should run on the mail server itself and provide -d mail.me-n-you.com.

The --apache option is a long option and so following the GNU getopt command line syntax it requires two dashes, --apache rather than -apache.

I hope this helps!


#13

Thank you very much.

It works now. Please modify the documentation so other people can easily understand what they should do.

It took me two days for this wrong documentation.

Richard Xu


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.