Webroot: Multiple Domain-Request, but two of them report errors


#1

Hey there!

Successfully requested 3 domains with LE, but the 4th report some errors.

Output from LE-client:

ex40 letsencrypt # ./letsencrypt-auto certonly -a webroot -w /srv/www/one.ambiente.www/ -d ambiente.one -d www.ambiente.one -d mail.ambiente.one -d my.ambiente.one --rsa-key-size 4096 --server https://acme-v01.api.letsencrypt.org/directory
Updating letsencrypt and virtual environment dependencies…
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly -a webroot -w /srv/www/one.ambiente.www/ -d ambiente.one -d www.ambiente.one -d mail.ambiente.one -d my.ambiente.one --rsa-key-size 4096 --server https://acme-v01.api.letsencrypt.org/directory
Failed authorization procedure. my.ambiente.one (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 178 parts, mail.ambiente.one (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 178 parts

IMPORTANT NOTES:

  • The following ‘urn:acme:error:unauthorized’ errors were reported by
    the server:

Domains: mail.ambiente.one, my.ambiente.one
Error: The client lacks sufficient authorization

How can i authorize these 2 subdomains as well?

Kind regards from Germany
Alex


#2

Hello,

You seem to have a redirect with mail.ambiente.one and my.ambiente.one.
As a consequence, the letsencrypt server couldn’t find the file it needed to check that you do have ownership of this domain.

You’ll have to configure your web server to deactivate the redirection on /.well-known/acme-challenge.

For apache configuration check this post [Webroot] Only performs http-01 challenge which doesn't follow HTTP redirects to HTTPS site


#3

Okay i turned of the redirect - my fail, sorry. :smile:
Works now!

Anyway, while adding this certificate to courier (mailserver) it won’t work - but why?

Maybe because the CN is just ambiente.one?
Doesn’t matter if mail.ambiente.one is listed below in DNS list?


#4

Well when I checked your mail server with cipherscan I found the cert issued by comodo.

If nothing has gone wrong when requesting your certificate, the CN is the first -d ambiente.one supplied, and the subjectAltName field in your certificate must have all the name you supplied.

If the dns name mail.ambiente.one is correctly set up in the certificate, check other issues like:

When you install your certificate in your mail server don’t forget the chain certificate either chain.pem or fullchain.pem. Refer to the documentation of your mail server.

As a fallback you can just request a certificate for mail.ambiente.one and try with that.


#5

Isn’t fixed right now, but isn’t topic related too.

So i’ll start a new topic about. See you there - maybe :wink: