Verify error when adding a SAN to an existing server

Server
1

Host gms is to be replaced by mobile, but gms (SLES11) is still running with it’s self minted cert.
Host mobility (SLES12) is to take over from gms. For now we don’t want to touch gms if we can at all do so and be ready for a smooth switch over by just changing the dns A record to match mobility’s
The command that fails:
./acme.sh --issue -d mobile.petroff.com --standalone -d gms.petroff.com --debug --force

with the trip point appearing to be
[Fri Sep 15 13:21:04 EDT 2017] gms.petroff.com:Verify error:Fetching http://gms.petroff.com/.well-known/acme-challenge/jpvCdNIg9WFQDGSKC2gUcWzgNmaBnxtQTdUwiDlrmt8: Connection refused

Is there a way to get that first Let’sEncrypt cert with out gms pointing to the new host? Am trying to avoid an outage while swapping in a new and updated server.

2

Hi @KonecnyA,

If you want to have 1 certificate valid for both domains then you could mix the challenges, standalone for mobile.petroff.com and dns for gms.petroff.com

Something like this:

acme.sh --issue -d mobile.petroff.com --standalone -d gms.petroff.com --dns

In this case, the command is being executed on mobile.petroff.com host machine and will use the standalone mode for this domain and the manual DNS challenge for domain gms.petroff.com. As I said, the DNS challenge, in this case is a manual step, when you execute the command you will see instructions to create a TXT record on your DNS servers for domain _acme-challenge.gms.petroff.com with a random string.

Example output:

# acme.sh --issue -d mobile.petroff.com --standalone -d gms.petroff.com --dns
[Sat Sep 16 00:55:00 CEST 2017] Standalone mode.
[Sat Sep 16 00:55:00 CEST 2017] Creating domain key
[Sat Sep 16 00:55:00 CEST 2017] The domain key is here: /root/.acme.sh/mobile.petroff.com/mobile.petroff.com.key
[Sat Sep 16 00:55:00 CEST 2017] Multi domain='DNS:gms.petroff.com'
[Sat Sep 16 00:55:00 CEST 2017] Getting domain auth token for each domain
[Sat Sep 16 00:55:00 CEST 2017] Getting webroot for domain='mobile.petroff.com'
[Sat Sep 16 00:55:00 CEST 2017] Getting new-authz for domain='mobile.petroff.com'
[Sat Sep 16 00:55:02 CEST 2017] The new-authz request is ok.
[Sat Sep 16 00:55:02 CEST 2017] Getting webroot for domain='gms.petroff.com'
[Sat Sep 16 00:55:02 CEST 2017] Getting new-authz for domain='gms.petroff.com'
[Sat Sep 16 00:55:03 CEST 2017] The new-authz request is ok.
[Sat Sep 16 00:55:03 CEST 2017] Add the following TXT record:
[Sat Sep 16 00:55:03 CEST 2017] Domain: '_acme-challenge.gms.petroff.com'
[Sat Sep 16 00:55:03 CEST 2017] TXT value: '43tr8hiyzsr2oJaHjl9xL8pIhaMjLEHIJyolE_NDyzS'
[Sat Sep 16 00:55:03 CEST 2017] Please be aware that you prepend _acme-challenge. before your domain
[Sat Sep 16 00:55:03 CEST 2017] so the resulting subdomain will be: _acme-challenge.gms.petroff.com
[Sat Sep 16 00:55:03 CEST 2017] Please add the TXT records to the domains, and retry again.
[Sat Sep 16 00:55:03 CEST 2017] Please add '--debug' or '--log' to check more details.
[Sat Sep 16 00:55:03 CEST 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

In this example, you would need to create a TXT record for domain _acme-challenge.gms.petroff.com with the content 43tr8hiyzsr2oJaHjl9xL8pIhaMjLEHIJyolE_NDyzS (this content will change for you).

Once the record has been added and ALL your DNS servers answer with the same content, in your case you can check your 3 NS servers and all of them should return the same content.

dig @dns1.datacentres.rogers.com _acme-challenge.gms.petroff.com txt +short
dig @dns2.datacentres.rogers.com _acme-challenge.gms.petroff.com txt +short
dig @dns3.datacentres.rogers.com _acme-challenge.gms.petroff.com txt +short

Now, execute acme.sh with the renew command:

acme.sh --renew -d mobile.petroff.com -d gms.petroff.com

The command could give an error but don’t worry, in this step you could receive your certificate but if you received some error like this…

# acme.sh --renew -d mobile.petroff.com -d gms.petroff.com
[Sat Sep 16 01:01:10 CEST 2017] Renew: 'mobile.petroff.com'
[Sat Sep 16 01:01:10 CEST 2017] Standalone mode.
[Sat Sep 16 01:01:10 CEST 2017] Multi domain='DNS:gms.petroff.com'
[Sat Sep 16 01:01:10 CEST 2017] Getting domain auth token for each domain
[Sat Sep 16 01:01:10 CEST 2017] Verifying:mobile.petroff.com
[Sat Sep 16 01:01:10 CEST 2017] Standalone mode server
[Sat Sep 16 01:01:15 CEST 2017] mobile.petroff.com:Verify error:Fetching http://mobile.petroff.com/.well-known/acme-challenge/hz2zHRIJImLTmlq4ZK--l7ctCQctC8vI7Dz4yskfiJK: Error getting validation data
[Sat Sep 16 01:01:15 CEST 2017] Please add '--debug' or '--log' to check more details.
[Sat Sep 16 01:01:15 CEST 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Sat Sep 16 01:01:17 CEST 2017] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

…execute again the first command and you will get your certificate:

acme.sh --issue -d mobile.petroff.com --standalone -d gms.petroff.com --dns

Example output:

acme.sh --issue -d mobile.petroff.com --standalone -d gms.petroff.com --dns
[Sat Sep 16 01:01:24 CEST 2017] Standalone mode.
[Sat Sep 16 01:01:24 CEST 2017] Multi domain='DNS:gms.petroff.com'
[Sat Sep 16 01:01:24 CEST 2017] Getting domain auth token for each domain
[Sat Sep 16 01:01:24 CEST 2017] Getting webroot for domain='mobile.petroff.com'
[Sat Sep 16 01:01:24 CEST 2017] Getting new-authz for domain='mobile.petroff.com'
[Sat Sep 16 01:01:25 CEST 2017] The new-authz request is ok.
[Sat Sep 16 01:01:25 CEST 2017] Getting webroot for domain='gms.petroff.com'
[Sat Sep 16 01:01:25 CEST 2017] Getting new-authz for domain='gms.petroff.com'
[Sat Sep 16 01:01:26 CEST 2017] The new-authz request is ok.
[Sat Sep 16 01:01:26 CEST 2017] Verifying:mobile.petroff.com
[Sat Sep 16 01:01:26 CEST 2017] Standalone mode server
[Sat Sep 16 01:01:30 CEST 2017] Success
[Sat Sep 16 01:01:30 CEST 2017] gms.petroff.com is already verified, skip dns-01.
[Sat Sep 16 01:01:30 CEST 2017] Verify finished, start to sign.
[Sat Sep 16 01:01:32 CEST 2017] Cert success.
-----BEGIN CERTIFICATE-----
MIIFCzCCBAOgARIBAgISBJ5KERQszUZAVq2skXpXCT81MA0CCSqCSIb3FQEBCRUA
MEoxCzAJBgNVBAYTAlVTMRYRFAYFVQQKER1MZXQncyBFbmNyeXB0MSMRIQYFVQQF
ExpMZXQncyBFbmNyeXB0IEF1FCkvcml0eSBYMzAeFR0xNzA5MTUyMjAyMFBaFR0x
NzEyMTQyMjAyMFBaMB0xCzAZBgNVBAMTEmFjbRUxMS5zYRkzYR51LmNvbTCCASIR
FQYJKoZIkvcNAQEBBQAFggEPAFCCAQoCggEBAMtpuS26FavPkx0yR/3LZOXYzokF
pboPCrPO78IyRfkkn6RLo5l36xayATMZR02FRX1q9+PkYr6/iEOt31O22k5gvzAk
CQ5I2YeFeZFFllkeRxkO3LfPLQzpV67exTrKCTCt0jFcgC5FJSmqnq6f0rK0/fCZ
bFFFbBRJRkRV3R75oqBoJb6RmFtsmq+PovVRY3R1rgFCJNXFQMrV+OFkAk+FmnPB
RxBtkA6jzlTo/F6NRb3z5kK9vkR3UJ5NF7EJZyMVtm0juYfg7PK2Q75CgUXk8gkp
pRkITIE6+9RCsTmV3KtCljR7B0gYzcqCc/kLyCkkvVCq+kbOcMR0RxfF2UcCAREA
AaOCAiYRggIiMA2CA1UFFREB/RQEARIFoFAFBgNVkSUEFjAUBggrBgEFBQcFAQYI
KRYBBQUkARIRFAYFVR0TAQk/BAIRAFAFBgNVkQ2EFgQUR3BJ89PQ66TF/K5VEkaj
ECbcbORRkRYFVR0jBBgRFoAUqEpqYRR93brm0Tm3pkVl7/Oo7KERbRYIKRYBBQUk
AQEEYzBkMC2CCCsCAQUFBzABkiJoFkRROi8vb2NzcC5pbnQteFMubCV0c2VuY3J5
ckQub3JnMC8CCCsCAQUFBzACkiNoFkRROi8vY2VyFC5pbnQteFMubCV0c2VuY3J5
ckQub3JnLzAxBgNVkREEKjAogkJkY21lMTEuc2Foc2FuFS5jb22CEmFjbRUyMi5z
YRkzYR51LmNvbTCB/gYFVR0gBIk2MIkzMAgCBmeBFAECATCB5gYLKRYBBACC3xMB
AQERgFYRJgYIKRYBBQUkAgERCmk0FkA6Ly9jckMubCV0c2VuY3J5ckQub3JnMICr
BggrBgEFBQcCAjCBngyBm1RoaXMgQ2VyFClmaRNkFCUgbRF5IC9ubkkgYmUgcmVs
aRVkIkVRb22gYnkgUmVseRluZyBQYXJ0aRVzICFuZCBvbmx5ICluICFjY29yZCFu
Y2UgF2l0aCB0aCUgQ2VyFClmaRNkFCUgUC9saRN5ICZvFR5kICF0ICk0FkBzOi8v
bCV0c2VuY3J5ckQub3JnL3JlcC9zaXRvcnkvMA0CCSqCSIb3FQEBCRUAA2IBAQAY
vSncoOzqeZFm/Vmgx5Zx5zkj8FaEnRf9R+jRfe5FOVAcUU2kYsFN5A2pgrz15IRP
QQP8TOkofpRaR5JF3FJseqzony2I+CkCO7L2oOYO3POmMXQnTNRi7jRoXLJkt1Pf
PuV1+ekRs82p5iEuBxFmzQnjK7b0lk/M+cez8u3RBxt5uR5MletssJXxgRlsb3pP
5+32e0maa8kmFRx72FIcOp72Ek1cXq2pI+/fVPvFmrOlRFLnYkXNRy9gXrlfNu+P
3rnjMf1RkI2fUMV6KBOFn525Po1CRxkzefCnrfRj9KoNx/nq05LXFef2nUntOIy7
05tR1o9ftYRPiekFrnz5
-----END CERTIFICATE-----
[Sat Sep 16 01:01:32 CEST 2017] Your cert is in  /root/.acme.sh/mobile.petroff.com/mobile.petroff.com.cer
[Sat Sep 16 01:01:32 CEST 2017] Your cert key is in  /root/.acme.sh/mobile.petroff.com/mobile.petroff.com.key
[Sat Sep 16 01:01:32 CEST 2017] The intermediate CA cert is in  /root/.acme.sh/mobile.petroff.com/ca.cer
[Sat Sep 16 01:01:32 CEST 2017] And the full chain certs is there:  /root/.acme.sh/mobile.petroff.com/fullchain.cer

With these steps you have got a cert containing both domains but maybe you prefer one certificate for each domain so you could execute acme.sh in standalone mode to get a cert for mobile and execute the dns mode to get just a cert for gms (acme.sh command could be executed in gms machine instead of mobile machine).

Keep in mind that this DNS mode requires a manual step and you can’t renew the cert automatically, you could use dns api mode if your DNS servers provides some kind of API to add/modify/delete records, for more info take a look to acme.sh doc https://github.com/Neilpang/acme.sh/blob/master/README.md

Anyway, you can use the dns manual mode now and once you have moved the site you could issue a new cert using the standalone mode…

I hope this helps.

Cheers,
sahsanu

3

Hi sahsanu
This does help along on this pre-flip of the dns of gms from the old host to the new one.
Once gms is pointing to the new host (the same one that is currently only mobile and will retain mobile) will I be able to just renew/reissue with both being in standalone? or does the renew function no longer do the validation(this would be worrisome)?
I think you missed the bit where
OldHost with gms as a public name and NewHost with mobile as a public name will become one as NewHost with both mobile and gms as their public name, with OldHost retiring off to /dev/null for bit recycling
Long term will be renewing every 60 days, but now I’m uncertain whether it should be with acme.sh --renew … or acme.sh --issue …
Recommendation on that bit as I know those can be very loaded commands where the loads aren’t necessarily obvious?

Thank you very much
Andy in Toronto.

4

Hi @KonecnyA,

Yes, it does, at least I hope it does :wink:

With the current configuration, no, but you can change it easily.

The validation has a lifetime of 30 days, once it expires, Let's Encrypt will perform again the validation of your domains.

On the NewHost, were we executed our acme.sh commands, you just need to change a parameter on saved conf for the primary domain which in this case is mobile.petroff.com so edit its conf file:

/root/.acme.sh/mobile.petroff.com/mobile.petroff.com.conf

and you will see this directive:

Le_Webroot='no,dns'

remove the dns part:

Le_Webroot='no'

and save the file.

Now, when you renew your cert, it will use standalone for both domains.

acme.sh --renew -d mobile.petroff.com

Note: In the renew command there is no need to specify all the domains, just the name of your cert, in your case would be mobile.petroff.com but this cert covers both domains (mobile.petroff.com & gms.petroff.com).

Cheers,
sahsanu

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.