My domain is: quarkstat.com, aws.jander.me
I ran this command:
docker run -it --rm -p 4343:443 -p 8080:80 --name certbot
-v "/etc/letsencrypt:/etc/letsencrypt"
-v "/var/lib/letsencrypt:/var/lib/letsencrypt"
quay.io/letsencrypt/letsencrypt:latest renew --dry-run
It produced this output:
- The following errors were reported by the server:
Domain: quarkstat.com
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
9e7f5e778a7148b8856b9361985e61c1.fc52b1a533fc3e1afcb7e8367f8784df.acme.invalid
from 35.160.186.36:443. Received certificate containing
'aws.jander.me, quarkstat.com'
Domain: aws.jander.me
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
cdd13f47fa7c9344470b9bef97804fc5.ee1068c90540b5516f818748f15fb0b2.acme.invalid
from 35.160.186.36:443. Received certificate containing
'aws.jander.me, quarkstat.com'
My operating system is (include version): linux AWS AMI
My web server is (include version): nginx
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
First off, thanks for the great work you’re doing! I’ve just stumbled on your service in the past week and have been working to get it setup in a test environment. At this point I’m struggling with the renewal of a certificate created with multiple names.
Concern/Question: Since there is a single SAN certificate use for both domains here, shouldn’t this validation be considered successful? i.e. the SAN cert returned in both case did include the domain name being validated.
My nginx conf is similar to that described in this article with the following relevant sections from the configuration showing that the requests to /.well-known are proxied through to the certbot docker container
server {
listen 80;
server_name quarkstat.com aws.jander.me;
location /.well-known {
proxy_pass http://127.0.0.1:8080/;
}
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name quarkstat.com aws.jander.me;
ssl_certificate /etc/letsencrypt/live/quarkstat.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/quarkstat.com/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /.well-known {
proxy_pass http://127.0.0.1:4343/;
}
}