Hi,
i try to create new certificates form my domains on my personal server rent at online.fr
Online add automatic certificate at creation.
I need to install https server on my own domain names.
Please, how can i do to add my domains or delete original certificate build by let’s Encrypt for online ?
Thanks in advance.
this the message given by letsencrypt-auto:
Failed authorization procedure. mattermost.ilibres.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 536b8b038c0181af7c4e757f86a52139.2efaa20ee4571b4e2b709baad8f67733.acme.invalid from 51.15.165.174:443. Received 1 certificate(s), first certificate had names “sd-125872.dedibox.fr”, ilibres.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested e969fbf43719fd35349276a078fb7479.459599439629fd4dc677fcee391282c1.acme.invalid from 51.15.165.174:443. Received 1 certificate(s), first certificate had names “sd-125872.dedibox.fr”, gitlab.ilibres.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested c12b66d104690393ebba6d1f0174fb51.1603ffebe3d0fbfeb1aead5152f49e74.acme.invalid from 51.15.165.174:443. Received 1 certificate(s), first certificate had names “sd-125872.dedibox.fr”
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: mattermost.ilibres.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
536b8b038c0181af7c4e757f86a52139.2efaa20ee4571b4e2b709baad8f67733.acme.invalid
from 51.15.165.174:443. Received 1 certificate(s), first
certificate had names “sd-125872.dedibox.fr”
Domain: ilibres.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
e969fbf43719fd35349276a078fb7479.459599439629fd4dc677fcee391282c1.acme.invalid
from 51.15.165.174:443. Received 1 certificate(s), first
certificate had names “sd-125872.dedibox.fr”
Domain: gitlab.ilibres.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
c12b66d104690393ebba6d1f0174fb51.1603ffebe3d0fbfeb1aead5152f49e74.acme.invalid
from 51.15.165.174:443. Received 1 certificate(s), first
certificate had names “sd-125872.dedibox.fr”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
These errors mean that your letsencrypt-auto software tried to prove it controlled the machine by answering HTTPS connections as that machine. However, when Let’s Encrypt (the service) connected to check that, it found that HTTPS connections were answered by some other software.
Are you sure you’re running the letsencrypt-auto software on the machines that answer to these names? If not, that’s your problem, you must find a way to prove control over the names, Let’s Encrypt mustn’t issue you certificates unless you can prove control. If you are running it on the right machines, try to find out why other software is answering instead - do you need to stop an existing web server program to get this working? Do you have an unusual port mapping configuration, load balancer or other tricks ?
LE doesn’t require proof of IP ownership, nor does it supply certs with IPs in them.
So you can exclude an actual IP from the conversation.
What LE does require proof of is the FQDN(s) in the cert request.
Proof can be by HTTP(S) and DNS challenge responses.
For HTTP(S) forward DNS is used to determine where the FQDN is presently.
LE prefers IPv6 addresses over any IPv4 addresses and will check the FQDN for CAA “compliance”.
That said, I can’t explain why the HTTPS challenge failed.
But you can still try HTTP and/or DNS challenges for authentication.
Thanks rg305
I’m not sure to understand clearly but i will look for how to try HTTP and/or DNS challenges for authentication…
I just understand that online.net had reserved a certificate how it interferes with my request to letsencrypt and i supposed like online support technician said, that i have to ask to letsencrypt for delete or append certificates list to this host.
Thanks for all !
I have add AAAA records to my dns zone and i have request my certificates from the host not from the lxc…
My request succeed, now i have to continue my configuration in my lxc to test real https access
Best regards,
freg
It is possible that you could add some kind of forwarding which would also allow you to request your certificate from inside the container, in case that would be useful to you—but the kind of forwarding that's appropriate for that depends on what challenge type you use to prove control of the domain and why it fails when attempted from inside the container.
Hi @schoen
Thanks for your precisions and the questions i have to think about.
I make too many tests in same time and it’s a little bit confused between forwarding and applications settings.
For now it’s correct i’m in progress to the upper.
Best regards,
freg