Corin
October 17, 2017, 2:40pm
1
Hey,
i have a problem. i wanted to get a cert for my domain c-corp.org , but i get an error. I use the domain @ univention and @ bought official domain.
log:
Di 17. Okt 16:36:20 CEST 2017
Refreshing certificate for following domains:
c-corp.org
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying c-corp.org...
Traceback (most recent call last):
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 198, in <module>
main(sys.argv[1:])
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 149, in get_crt
domain, challenge_status))
ValueError: c-corp.org challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'89.31.143.1'], u'url': u'http://c-corp.org/.well-known/acme-challenge/uKLAtj-ulb5zaGMqUcciB2jwGzmCZh3ZdjM6P8QsFqA', u'hostname': u'c-corp.org', u'addressesTried': [], u'addressUsed': u'89.31.143.1', u'port': u'80'}], u'keyAuthorization': u'uKLAtj-ulb5zaGMqUcciB2jwGzmCZh3ZdjM6P8QsFqA.ujbfj-dWNnEvDBsKSX0W6uH1UG2jowDu9XhM75_ugwo', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/uRucso-yLfMsAU0TT79HsWAVFgewpip6Bz9s4e25Mmc/2230547646', u'token': u'uKLAtj-ulb5zaGMqUcciB2jwGzmCZh3ZdjM6P8QsFqA', u'error': {u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://c-corp.org/.well-known/acme-challenge/uKLAtj-ulb5zaGMqUcciB2jwGzmCZh3ZdjM6P8QsFqA: "<html>\n<head>\n<meta name="keywords" content=">">\n<meta name="description" content="Domain registriert bei united-domains.de">\n<m"'}, u'type': u'http-01'}
How may i solve it?
Hi Corin,
It seems that the DNS-Entry for domain does not point to your System, so the letsencrypt client could not verify the request.
To solve this, change the corresponding DNS records A/Cname to your UCS Systems IP address and make sure that Port 80 is reachable.
Then you could try again with the certificate request.
Corin
October 20, 2017, 11:12am
4
The Problem was port 80… Port 80 was not to my univention server. Only port 443 was going to my Univention.
Corin
October 23, 2017, 2:38pm
5
So habe nun in der Fehlerdiagnose leider einen kritischen Fehler.
Das Zertifikat von Lets Encrypt läuft auf dem Server und 443 und 80 sind auf den Server geroutet.
Das hier ist der Fehler (Kritisch und taucht 2 mal auf)central.domain.org error 20 at 0 depth lookup:unable to get local issuer certificate
Ungültiges Zertifikat ‘/etc/univention/letsencrypt/signed.crt’ gefunden: /etc/univention/letsencrypt/signed.crt: CN = central.domain.org error 20 at 0 depth lookup:unable to get local issuer certificate
If the Lets Encrypt certificate is requested and works in your browser, everything is fine. You could check it with https://www.ssllabs.com
That means that the signing intermediate certificate is unknown to your system. For more about the chain of trust see Chains of Trust - Let's Encrypt
To fix this: Add the intermediate letsencrypt certificate to the trusted certificates on your system
ln -s /etc/univention/letsencrypt/intermediate.pem /usr/local/share/ca-certificates/lets-encrypt.crt
update-ca-certificates
Your server will now accept all certificates issued by “Let’s Encrypt Authority X3”. And the above error is gone.