Hi,
short'ish summary: 90 days ++ ago we set up a Zimbra 8.7 OS Edition server on a CentOS 7. All went well, except for the LetsEncrypt part (Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center); certbot was not able to complete (sorry, haven't got the full details right here).
We needed certs for this + two additional domains. We were running late in the deployment, so eventually we would make it work, using pfSense for generating certificates, then issuing certs and copy the needed files to Zimbra and the other hosts + a cumbersome process to prepare the files, verify them and deploy...but it worked.
Time has come to renew but no go so far. We aim to make it work as intended with certbot + a cronjob for auto renewal, so how to proceed from here?
I tried ./letsencrypt-auto certonly --standalone
and certbot-auto certonly --standalone
. Both return following error(s)
[root@post letsencrypt]# ./letsencrypt-auto certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):FQDN-1 FQDN-2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for FQDN-1
tls-sni-01 challenge for FQDN-2
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. FQDN-1 (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 07754eeda814862d64130f3ef145a362.6c0075519e38c40b4c047079e09afb65.acme.invalid from [our fw IP Addr]:443. Received 1 certificate(s), first certificate had names "FQDN-2, FQDN-1", FQDN-2 (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested db9e5f445aeff7ae51241124ec17ae16.3b856784a501ef54cfa860e73912df39.acme.invalid from [our fw IP Addr]:443. Received 1 certificate(s), first certificate had names "FQDN-2, FQDN-1"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: FQDN-1
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
07754eeda814862d64130f3ef145a362.6c0075519e38c40b4c047079e09afb65.acme.invalid
from [our fw IP Addr]:443. Received 1 certificate(s), first
certificate had names "FQDN-2, FQDN-1"
Domain: FQDN-2
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
db9e5f445aeff7ae51241124ec17ae16.3b856784a501ef54cfa860e73912df39.acme.invalid
from [our fw IP Addr]:443. Received 1 certificate(s), first
certificate had names "FQDN-2, FQDN-1"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
Obviously the real domain names and IP address have been hidden
Thanks in advance - looking forward to a speedy reply