Which method can I get Let’s Encrypt certificate on server A (the certificate use for Server B)

I am new to certbot.
if commands is “./certbot-auto certonly --standalone” and in the domain(mgfurniture.cn),get the response is:

IMPORTANT NOTES:
- The following errors were reported by the server:
  Domain: mgfurniture.cn
  Type:   unauthorized
  Detail: Incorrect validation certificate for tls-sni-01 challenge.
  Requested
  9fd48623454fd32c7d7f7a7dcca950a4.0c8755aa373bc030bdbb5ec096290931.acme.invalid
  from 47.88.9.55:443. Received 4 certificate(s), first certificate
  had names "*.ly200.com, ly200.com"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

if the commands is :./certbot-auto certonly --standalone --preferred-challenges tls-sni -d www.mgfurniture.cn -d mgfurniture.cn
no response anything

note : the domain(mgfurniture.cn) in server A ,this server’s port 80/443 must free ?

certbot-auto in server B
server B some info:
1,ip6 is disable;
2,network is ok
3, the post 80/443 is free.

how can I do? what can i do ? pls help.

The “server B” probably explains why you are using “–standalone”.

If I’m correct, you are trying to get a cert for domain “mgfurniture.cn” from a system that is not at the IP resolved by that name (47.88.9.55). Because IP 47.88.9.55 already responds on port 443 with a cert for “ly200.com” and certbot would not be able to run another standalone server on port 443 - but that wasn’t the error.

If so, you won’t be able to get the cert in this manner (directly).
The simplest indirect method would be with DNS challenge authentication.

No both are currently being used by NGINX if your domain is mgfurniture.cn

image

Standalone and certonly are commands which you need to review (so you understand what they do): https://certbot.eff.org/docs/using.html#standalone

I believe a better approach for you would be to use the --nginx command which you can review here: https://certbot.eff.org/docs/using.html#nginx

The NGINX plugin will find the right domains (from your configuration file) , configure NGINX to pass the challenge and install the certificates for you all in one go

Andrei

I’m sorry for the long reply
thank you so much
@rg305 @ahaw021

Let me try

server A(ip is:116.196.112.157 centos 6.7) : http://www.soft169.xyz:8080/index.html
server B(install certbot),

I want to get a cert for domain ‘www.soft169.xyz’ in server B, how can i do?

in B, the cammands is : ./certbot-auto certonly --standalone --email 646524284@qq.com -d soft169.xyz
when Firewall off
response :

when firewall on
response:

National Day holiday

Hi @linger,

The method of requesting a certificate that you’re using requires the server to be able to accept inbound connections on port 443, and requires you to run Certbot on the computer that the domain name is pointed to. You can’t use a different port number or run Certbot on a separate computer with this method.

Can you run Certbot on server A instead? If not, you might be able to use a different method to get the certificate.

Hi @schoen

Which other method can I get Let’s Encrypt certificate?

my server A have some Service limit,I cannot run Certbot on server A instead.

Which other method can i get,authenticate and renewal a Let’s Encrypt certificate in server B?

If you can create an HTTP 301 redirect on server A from http://www.soft169.xyz/.well-known/acme-challenge/ to server B, that is one approach. It does not have to affect any other directories. This indicates to the certificate authority that server B is allowed to answer ACME HTTP-01 challenges on behalf of server A.

The other alternative is if your DNS provider has an API which would let you automatically create DNS TXT records in your DNS zone. If so, you can run an ACME client on any machine and use the DNS provider API from there to create TXT records specified by the certificate authority to satisfy the ACME DNS-01 challenge method.

There are also other alternatives if you can create files (at specified locations) on server A, either manually or via a protocol like SCP or SFTP.

thanks,schoen.
let me try

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.