Trying to create a new Domain Cert with name "swiss7cloud.ch" with an existing Sub-Domain (www.swiss7cloud.ch) and non-existing Sub-Domain (office.swiss7cloud.ch)
Webserver is running in productive mode & is serving data under the existing and running domain -->
My domain is: www.swiss7cloud.ch
(by the way .. "certbot renew" process will run regulary without any issues on domain: www.swiss7cloud.ch)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
Server version: Apache/2.4.6 (CentOS)
Server built: Nov 5 2018 01:47:0
The operating system my web server runs on is (include version):
centos-release-7-6.1810.2.el7.centos.x86_64
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no
If you want to use http-01 - validation, http://swiss7cloud.ch/.well-known/acme-challenge/1234 must work, same with www. There may be a redirect, but a timeout is bad.
Your office - subdomain has timeouts.
Is there a firewall that blocks?
PS: Perhaps you have used tls-sni-01 - validation. This is deprecated, support ends 2019-02-13. So you must switch to another validation method.
Thx a lot for your hints and idea. I do appreciate those very much
i could evaluate the timeouts .. coming from the Cloud IDS/IPS (Intrusion Prevention System) ..good2know it works ... checked it shortly without this ->
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Maybe what rg305 said .. i would need the DNS Validation ? (only www.swiss7cloud.ch and swiss7cloud.ch) are configured via httpd-confs .. office.swiss7cloud.ch is not httpd-(apache) configured on the server .. !?
A file under /.well-known/acme-challenge is redirected to your login page. That can't work.
/.well-known/acme-challenge shouldn't have such a redirect. http -> https is ok, but your login-page doesn't send the content of the file Letsencrypt want's to see.
yes …that might be the reason for Jürgen … ok … so i think, i know what i’d need to do furthermore …
Disabling the http-Redirection … for this would need a Maintenance window .& i’d need to pre-announce this… so …cannot do this now
The crob job should invoke a simple “renew”.
The renewal.conf file should store all the necessary parameters needed for it to renew successfully.
[it will “remember” how that cert was last issued - like by having used: --webroot]