I am new to certbot.
if commands is “./certbot-auto certonly --standalone” and in the domain(mgfurniture.cn),get the response is:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: mgfurniture.cn
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
9fd48623454fd32c7d7f7a7dcca950a4.0c8755aa373bc030bdbb5ec096290931.acme.invalid
from 47.88.9.55:443. Received 4 certificate(s), first certificate
had names "*.ly200.com, ly200.com"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
if the commands is :./certbot-auto certonly --standalone --preferred-challenges tls-sni -d www.mgfurniture.cn -d mgfurniture.cn
no response anything
note : the domain(mgfurniture.cn) in server A ,this server’s port 80/443 must free ?
certbot-auto in server B
server B some info:
1,ip6 is disable;
2,network is ok
3, the post 80/443 is free.
The “server B” probably explains why you are using “–standalone”.
If I’m correct, you are trying to get a cert for domain “mgfurniture.cn” from a system that is not at the IP resolved by that name (47.88.9.55). Because IP 47.88.9.55 already responds on port 443 with a cert for “ly200.com” and certbot would not be able to run another standalone server on port 443 - but that wasn’t the error.
If so, you won’t be able to get the cert in this manner (directly).
The simplest indirect method would be with DNS challenge authentication.
The NGINX plugin will find the right domains (from your configuration file) , configure NGINX to pass the challenge and install the certificates for you all in one go
The method of requesting a certificate that you’re using requires the server to be able to accept inbound connections on port 443, and requires you to run Certbot on the computer that the domain name is pointed to. You can’t use a different port number or run Certbot on a separate computer with this method.
Can you run Certbot on server A instead? If not, you might be able to use a different method to get the certificate.
If you can create an HTTP 301 redirect on server A from http://www.soft169.xyz/.well-known/acme-challenge/ to server B, that is one approach. It does not have to affect any other directories. This indicates to the certificate authority that server B is allowed to answer ACME HTTP-01 challenges on behalf of server A.
The other alternative is if your DNS provider has an API which would let you automatically create DNS TXT records in your DNS zone. If so, you can run an ACME client on any machine and use the DNS provider API from there to create TXT records specified by the certificate authority to satisfy the ACME DNS-01 challenge method.
There are also other alternatives if you can create files (at specified locations) on server A, either manually or via a protocol like SCP or SFTP.
