Unable to Create Certificates for 2 Sites on Same IP


I am an experienced developer but have run into an issue setting up lets encrypt on an Ubuntu bionic virtual private server.

My domains are:

Now I had this working with just gordonbanderson.com. The command I ran was

certbot certonly -v --staging --no-eff-email --webroot --preferred-challenges http --email "gordon.b.anderson+gba@gmail.com" --agree-tos -d gordonbanderson.com -d www.gordonbanderson.com -w /var/www/gba/public/

When I added arbroathunited.cc as a domain to the same IP address the above command fails, when I try to create a certificate for gordonbanderson.com it tries to authenticate against the other domain associated with the server, arbroathunited.cc:

Output from the above command after adding the second domain, https://pastebin.com/6ANANPDz

My web server is (include version):

nginx 1.17.4

The virtual hosts are responding correct, I added the same filename to both servers with different text, and the responded as expected.

The operating system my web server runs on is (include version):
Alpine Linux 3.10 (note I am using docker with multiple containers). Certbot is running Debian stretch

My hosting provider, if applicable, is:
Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO, using SSH

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.28.0, certbot

The attempt to authorize gordonbanderson.com against the webroot of arbroathunited.cc, which is failing, is where I am confused.

Any pointers appreciated



Your server is generating a redirect from the gordonbanderson.com to arbroathunited.cc:

$ curl -X GET -I gordonbanderson.com/.well-known/acme-challenge/test
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 19 Oct 2019 23:32:34 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://arbroathunited.cc/.well-known/acme-challenge/test

Let’s Encrypt is just following the redirect, which produces the appearance of it trying to authenticate against the wrong domain.


Thanks for the heads up, I had not though to look at the nginx config. The issue was was that the server name gordodnbanderson.com was missing from the redirect (I previously only had the www version):

server {
listen 80;
server_name gordonbanderson.com www.gordonbanderson.com;
rewrite ^ https://gordonbanderson.com$uri permanent;

There was a second issue in that certbot uses IPV6 and IPV4 fallback appears to fail. Enabling IPV6 on the Digital Ocean interface, tweaking the network configuration via SSH, and adding IPV6 listening to the nginx config resolved the problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.