Trying to create a new Domain Cert with an existing Sub-Domain and non-existing Sub-Domain


#1

Purpose:

Trying to create a new Domain Cert with name “swiss7cloud.ch” with an existing Sub-Domain (www.swiss7cloud.ch) and non-existing Sub-Domain (office.swiss7cloud.ch)

Webserver is running in productive mode & is serving data under the existing and running domain -->

My domain is: www.swiss7cloud.ch

(by the way … “certbot renew” process will run regulary without any issues on domain: www.swiss7cloud.ch)

I ran this command:

certbot --apache --cert-name swiss7cloud.ch -d swiss7cloud.ch,www.swiss7cloud.ch,office.swiss7cloud.ch

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for office.swiss7cloud.ch
http-01 challenge for swiss7cloud.ch
http-01 challenge for www.swiss7cloud.ch
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. swiss7cloud.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://swiss7cloud.ch/.well-known/acme-challenge/-w0xIeuwyXC4BnPauBEn7s4yVW5rupbZZRs2btkPYIY: "\n<html class=“ng-csp” data-placeholder-focus=“false” lang=“en” data-locale=“en” >\n\t<head data-requesttoken=“C43Ji”, www.swiss7cloud.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.swiss7cloud.ch/.well-known/acme-challenge/JnN-n8M6JFNAprFhZFAkL0CPd93P9m9yyw1BX87lu58: "\n<html class=“ng-csp” data-placeholder-focus=“false” lang=“en” data-locale=“en” >\n\t<head data-requesttoken=“e6VYS”

IMPORTANT NOTES:

My web server is (include version):

Server version: Apache/2.4.6 (CentOS)
Server built: Nov 5 2018 01:47:0

The operating system my web server runs on is (include version):

centos-release-7-6.1810.2.el7.centos.x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

Thx & Best regards
Mike


#2

Hi @Githopp192

your main pages have redirects. But the important /.well-known/acme-challenge - subdirectories produces timeouts (via https://check-your-website.server-daten.de/?q=swiss7cloud.ch ):

Domainname Http-Status redirect Sec. G
http://swiss7cloud.ch/
88.151.146.103 301 https://www.swiss7cloud.ch/ 0.086 E
http://www.swiss7cloud.ch/
88.151.146.103 301 https://www.swiss7cloud.ch/ 0.076 A
https://swiss7cloud.ch/
88.151.146.103 302 https://swiss7cloud.ch/login 5.866 N
Certificate error: RemoteCertificateNameMismatch
https://www.swiss7cloud.ch/
88.151.146.103 -14 10.027 T
Timeout - The operation has timed out
https://swiss7cloud.ch/login -14 10.023 T
Timeout - The operation has timed out
http://swiss7cloud.ch/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
88.151.146.103 -14 10.030 T
Timeout - The operation has timed out
http://www.swiss7cloud.ch/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
88.151.146.103 -14 10.026 T
Timeout - The operation has timed out

If you want to use http-01 - validation, http://swiss7cloud.ch/.well-known/acme-challenge/1234 must work, same with www. There may be a redirect, but a timeout is bad.

Your office - subdomain has timeouts.

Is there a firewall that blocks?

PS: Perhaps you have used tls-sni-01 - validation. This is deprecated, support ends 2019-02-13. So you must switch to another validation method.


#3

The only way to get a cert for a non-existing domain is with DNS validation.


#4

Thx a lot for your hints and idea. I do appreciate those very much :slight_smile:

i could evaluate the timeouts … coming from the Cloud IDS/IPS (Intrusion Prevention System) …good2know it works :slight_smile: … checked it shortly without this ->

i did check the Validation http://swiss7cloud.ch/.well-known/acme-challenge/1234 - manually (create the 1234 File … and i could read it from https://swiss7cloud.ch & http://www.swiss7cloud.ch

Did try again with the “dry-run” Option … (Firewall and IDS/IPS down !) -->

certbot --dry-run certonly -a apache --cert-name swiss7cloud.ch -d swiss7cloud.ch,www.swiss7cloud.ch,office.swiss7cloud.ch --preferred http-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for office.swiss7cloud.ch
http-01 challenge for www.swiss7cloud.ch
http-01 challenge for swiss7cloud.ch
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. swiss7cloud.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://swiss7cloud.ch/.well-known/acme-challenge/W923lHvrHHB28TCP0Zl6lYCnWjW2qVGvN9OD2iwHJFg: "\n<html class=“ng-csp” data-placeholder-focus=“false” lang=“en” data-locale=“en” >\n\t<head data-requesttoken=“Jy3Ih”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: swiss7cloud.ch
    Type: unauthorized
    Detail: Invalid response from
    http://swiss7cloud.ch/.well-known/acme-challenge/W923lHvrHHB28TCP0Zl6lYCnWjW2qVGvN9OD2iwHJFg:
    "\n<html class=“ng-csp”
    data-placeholder-focus=“false” lang=“en” data-locale=“en”

    \n\t<head data-requesttoken=“Jy3Ih”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

Maybe what rg305 said … i would need the DNS Validation ? (only www.swiss7cloud.ch and swiss7cloud.ch) are configured via httpd-confs … office.swiss7cloud.ch is not httpd-(apache) configured on the server … !?

Best Regards
Mike


#5

Maybe swiss7cloud.ch got an error … because … apache redirection in place will redirect traffic to www.swiss7cloud.ch and response to http://swiss7cloud.ch/.well-known/acme-challenge/W923lHvrHHB28TCP0Zl6lYCnWjW2qVGvN9O is not possible, because there is no web-root for
https://swiss7cloud.ch ?!

==>

Invalid response from http://swiss7cloud.ch/.well-known/acme-challenge/W923lHvrHHB28TCP0Zl6lYCnWjW2qVGvN9O


#6

Now you have removed the timeout, this is good.

But there is the next problem.

A file under /.well-known/acme-challenge is redirected to your login page. That can’t work.

/.well-known/acme-challenge shouldn’t have such a redirect. http -> https is ok, but your login-page doesn’t send the content of the file Letsencrypt want’s to see.


#7

yes …that might be the reason for Jürgen … ok … so i think, i know what i’d need to do furthermore …
Disabling the http-Redirection … for this would need a Maintenance window .& i’d need to pre-announce this… so …cannot do this now :slight_smile:


#8

Hi Jürgen … at the end i could successfully implement the Cert —>

certbot certonly --cert-name Sub-Domain1 --webroot -w /var/www/html/xxxxxxx -d Domain,SubDomain1,SubDomain2


#9

Happy to read that.

Then you have to install the certificate manual.


#10

Yes … that’s what i did … but i think … the automatic renewal process is working (of course the existing cron job is still running there)…


#11

The crob job should invoke a simple “renew”.
The renewal.conf file should store all the necessary parameters needed for it to renew successfully.
[it will “remember” how that cert was last issued - like by having used: --webroot]


#12

yes, right rg305 … just checked out the .conf file in the path /etc/letsencrypt/renewal
All accurate information are there


#13

Automation at work :slight_smile:
You are good to go!


closed #14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.