Incorrect validation certificate for TLS-SNI-01 challenge

Discussion in 'Installation/Configuration' started by raspdroid, Feb 19, 2017.

  1. raspdroid

    raspdroid Member


    I use ISPConfig 3.1.2 + LetsEncrypt and I want to install a certificate for mail1 server (ISPConfig Multiserver installation) from server I run this command from this post:

    certbot auth --text --agree-tos --standalone --email postmaster@`hostname -d` -d `hostname -f` -d mail.`hostname -f`
    I get this error:
    Is it possible to add if I am already using a certificate on the web1 server for websites and for the ISPConfig interface?

    I have this records to
    A mail1
    CNAME mail
    MX @ (Priority: 10)
    TXT @ "v=spf1 mx ip4: -all"

    Best regards
  2. raspdroid

    raspdroid Member

    On mail server I have not open 80 or 443 ports aslo I have not webserver, only Postfix and Dovecot.
    Should I do it from the web server (web1) and then use it on the mail server?
  3. sjau

    sjau Local Meanie Moderator

    Please provide real domain.
    raspdroid likes this.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    raspdroid likes this.
  5. raspdroid

    raspdroid Member

  6. sjau

    sjau Local Meanie Moderator

    what does hostname -f return?
  7. raspdroid

    raspdroid Member

    and short (-s)

    and domain (-d)
  8. sjau

    sjau Local Meanie Moderator


    -d mail.`hostname -f`
    would be
    raspdroid likes this.
  9. raspdroid

    raspdroid Member

    Yes, I guess. But I don't that. I want something like this In the last attempt I have deleted -d mail.`hostname -f`
  10. sjau

    sjau Local Meanie Moderator

    the please post according command you've used and the log.
    raspdroid likes this.
  11. raspdroid

    raspdroid Member

    ./certbot-auto auth --text --agree-tos --standalone --email [email protected] -d 
  12. raspdroid

    raspdroid Member

    From mail server with dns-api not works to me. with Godaddy production key.

    Last edited: Feb 20, 2017
  13. sjau

    sjau Local Meanie Moderator

    do you host the DNS with GoDaddy or do you host it on your ISPConfig installation?

    It seems your authentication with GoDaddy isn't right:
    [Mon 20 Feb 12:07:38 UTC 2017] {"code":"UNABLE_TO_AUTHENTICATE","message":"Unable to authenticate","name":"ApiError"}
    raspdroid likes this.
  14. sjau

    sjau Local Meanie Moderator

    also, don't know why certbot fails :(
    raspdroid likes this.
  15. raspdroid

    raspdroid Member

    Still with Godaddy because I have not yet been able to configure my DNS with ISPConfig
  16. sjau

    sjau Local Meanie Moderator

    raspdroid likes this.
  17. raspdroid

    raspdroid Member

    Yes. I have checked with echo $GD_Key and $GD_Secret

    I am doing it from the mail server, which has no http or https port enabled. In case it can be for that.

    I now create another Godaddy production key for the web server. And I'll try from the web server. I think it will be better to start from scrtatch. But now using the acme client with the dns-plugin or dns-api-plugin. And creating different certificates for the ISPConfig web interface and for websites.
    Last edited: Feb 20, 2017
  18. raspdroid

    raspdroid Member

    From the web server all is success.

    ./ --issue --dns dns_gd -d -d -d --debug

    In the GoDaddy panel I can see three TXT records.

    dns-api-plugin work like a charm.

    By the way, although not specified here , works fine con ARM hard float (Raspbian Jessie/Stretch).
    Last edited: Feb 20, 2017
  19. sjau

    sjau Local Meanie Moderator

    Raspian is basically Debian :)

    You also know about the
    Code: --installcert -d --certpath /path/to/cert --keypath /path/to/key --fullchainpath /path/to/fullchain --reloadcmd "systemctl systemctl restart dovecot; systemctl reload postfix"

    If you have adjusted your postfix/dovecot configs to use the certs that were directly download then you can omit the keypath, certpath and fulchainpath options and just use the reloadcmd one to restart/reload the services.

    And DNS-01 auth is really nice because it allows easily to get certs alsof for machines that are behind NAT and stuff.
    raspdroid likes this.
  20. raspdroid

    raspdroid Member

    No i do not know him. Thanks.

    At this point I'm lost.

    Now the certificate is on web server in /home/user/.acme/
    To use it on the mail server (which is separate), do I copy the folder containing the certificate to the mail server?

    Something like that?

    scp -r -Port /home/user/.acme-sh/ [email protected]:/home/user/.acme-sh/
    And then install it with --installcert from mail server?

    This are TLS parameter to Postifx:
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes

    listen = *,[::]
    protocols = imap pop3
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    ssl_protocols = !SSLv2 !SSLv3

    ## SSL settings
    ssl = no
    #ssl_cert = </etc/dovecot/dovecot.pem
    #ssl_key = </etc/dovecot/private/dovecot.pem
    Last edited: Feb 20, 2017

Share This Page