Incorrect validation certificate for TLS-SNI-01 challenge

Discussion in 'Installation/Configuration' started by raspdroid, Feb 19, 2017.

  1. raspdroid

    raspdroid Member

    This seems to work.

    On web server:
    ./ --issue --dns dns_gd -d -d -d -d  -d -d --debug
    [Mon 20 Feb 23:57:02 UTC 2017] _on_issue_success

    $ scp -r to mail server.

    On mail server:
    Code: --installcert -d --certpath /etc/postfix/smtpd.cert --keypath /etc/postfix/smtpd.key --reloadcmd "systemctl restart dovecot; systemctl reload postfix"
    [Tue 21 Feb 00:12:28 UTC 2017] Installing cert to:/etc/postfix/smtpd.cert
    [Tue 21 Feb 00:12:28 UTC 2017] Installing key to:/etc/postfix/smtpd.key
    [Tue 21 Feb 00:12:28 UTC 2017] Run reload cmd: systemctl restart dovecot; systemctl reload postfix
    [Tue 21 Feb 00:12:29 UTC 2017] Reload success
    Then in Mozilla Thundebird:
    File --> New --> Existing e-mail account:
    Your name --> HowToForge
    E-mail --> [email protected]
    Password --> howtoforge
    Click on Continue button.
    Wait a little.
    And magic !. Everything is set up alone.
    Click on Done button and ready.
  2. raspdroid

    raspdroid Member

    I added the DKIM record to DNS zone generated from ISPConfig3 and everything works fine. It is possible to sent and and receive, and the mails arrive in the inbox of Gmail, not in Spam folder.

    Thanks for your help guys.

    Best regards.
  3. sjau

    sjau Local Meanie Moderator

    now you have to wait 60 days to see if auto-renewal works. Best mark april 25 or so as a date in your calender to recheck the certs if all is fine :)
  4. raspdroid

    raspdroid Member

    I doubt very much that the certificate is renewed because it did not add anything to cron, neither in the web server nor the mail server :(. I do not know how to do it either. It is a bit lousy to have to issue the certificate from the web server to then copy it to the mail server and install it from there and also have to renew it,I guess the procedure is to renew it on the web server and then copy and install it on the mail server.

    All this would be great if it did ISPConfig3.

    Best Regards
  5. sjau

    sjau Local Meanie Moderator

    What you could do is run this reloadcmd:

    cat "/home/user/.acme-sh/" "/home/user/" > /tmp/smtpd.cert"; scp "/tmp/smtpd.cert" "[email protected]:/etc/postfix/smtpd.cert"; scp "/home/user/" "[email protected]:/etc/postfix/smtpd.key"; ssh "[email protected]" "systemctl restart postfix; systemctl restart dovecot"
    Basically this will concatenate the cert and the full chain into one file,
    then copy that over to your mail server
    also copy over the key to your mail server
    tell mailserver through ssh to restart postfix and dovecot

    You should be able to put that into the reload command. You can edit the /home/user/.acme-sh/ file and add it there. Very likely you'll have to replace the double quotes (") with single quotes (')

    but why don't you run the script on the mailserver?
  6. raspdroid

    raspdroid Member

    I had problems with the renovation and the services stopped working. I deleted all the certificates and requested them again.

    Code: --issue --dns dns_gd -d -d -d -d  -d -d --debug
    In /var/www/ I deleted all files and copy the fullcachin.cer the .crt and .key files so:
    systemctl restart apache2.service
    But not works to me:

    Line 227:
    IncludeOptional sites-enabled/

    Any idea how to solve this?

  7. sjau

    sjau Local Meanie Moderator

    I have no idea what you did.... but there's an install cert routine for You should use that. has two main routeins: (a) obtaining a cert [and storing it in the ~/ path if not indicated otherwise]; and (b) installing the cert to its actual location on the system.

    E.g. I use this:

    domain="domain.tld"; --installcert -d ${domain} --ecc --certpath /var/www/${domain}/ssl/${domain}.crt --keypath /var/www/${domain}/ssl/${domain}.key --fullchainpath /var/www/${domain}/ssl/${domain}.bundle --reloadcmd "systemctl reload apache2"
    Omit the --ecc option if you don't use an eliptic curve though. Maybe I should make an interactive script out of it that will do both... first get cert and then install it.
    raspdroid likes this.
  8. raspdroid

    raspdroid Member

    I have not been able to resolve this yet for a while. I'm going to try it now. Did you finally create a script?
    Best regards
  9. sjau

    sjau Local Meanie Moderator

    not sure what you mean... DNS-01 plugin for ISPC has been integrated into for a long time now. It works fine. No idea what you mean by script.
  10. raspdroid

    raspdroid Member

    to this:
    Omit the --ecc option if you don't use an eliptic curve though. Maybe I should make an interactive script out of it that will do both... first get cert and then install it.
  11. sjau

    sjau Local Meanie Moderator

    never written the script... haven't seen a need... you have all the necessary info already...
    raspdroid likes this.
  12. raspdroid

    raspdroid Member

    Ok, thank you!
  13. sjau

    sjau Local Meanie Moderator

    btw, did you get it to run?
  14. Tech::LevOr

    Tech::LevOr New Member

    I got "Incorrect validation certificate for tls-sni-01 challenge" while trying to renew certificates for my sites (all sharing the same ip). Running Centos 7.2 + apache. Here's how I corrected this:
    1. installed the updated certbot (yum install python2-certbot-apache)
    2. stopped apache and called certbot, like this:
    apachectl stop
    certbot renew --standalone

    Turns out certbot starts apache after a successful renew, so I had to "apachectl stop ; certbot renew --standalone" over and over again until all certificates were renewed.
    Then started apache:
    apachectl start
    Hope this helps, Tech::LevOr
  15. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Manual job for renewing is bad. There is hook for certbot of which you can set when you were requesting LE certs. That hook will be kept inside its renewal file conf and called automatically during the renewal process so you don't to do it manually.

    So you either edit the renewal conf file; or delete your current certs and request the new ones with hooks.

Share This Page