[linux-l] letsencrypt - certbot - Hetzner nonroot ssl-Zertifikat
Stephan Hesse
stephan.hesse at belug.de
So Dez 31 11:18:24 CET 2017
Hey Leut,
hat jemand Erfahrung mit letsencrypt - certbot?
Ich habe das Paket letsencrypt.deb in meinem Debian-buster installiert.
Meinem Verständnis nach kann ich lokal an meinem PC für meine kleine Contao-website
bei Hetzner ein immer 90Tage gültiges ssl-cert erzeugen, welches ich
dann über meine Hetzner-Konsole per Copy-Paste einpflegen kann.
Geht das überhaupt? Wie ich die Technik deute, sollte es funktionieren.
Nach sechs Stunden erfolglosen Tests, nun ein Hilferuf an euch.
Wie würdet Ihr importierbare Zertifikate für einen Hetzner
Webauftritt ohne ruthzugang auf der Maschine zu haben und ohne Teuros
auszugeben erzeugen?
Error unten bei '***'
Einen ipv6 DNS Eintrag hatte ich bereits bei Hetzner für meine IP erzeugt. Hat auch nicht geholfen.
DANKE im Voraus für Tipps!
Code:certbot
certonly --standalone --email info at dimmpimmdo.de \
-d dimmpimmdo.de -d www.dimmpimmdo.deFolgender
Output:Saving
debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:tls-sni-01challenge
for dimmpimmdo.de
tls-sni-01 challenge for www.dimmpimmdo.deWaiting
for verification...
Cleaning up challenges
Failed authorization procedure. dimmpimmdo.de (tls-sni-01):
urn:acme:error:unauthorized :: The client lacks sufficient
authorization :: Incorrect validation certificate for tls-sni-01
challenge. Requested
9d0996868df8355f20bf9591ec10c327.6892ff54dfb25d32031497f82f244a5a.acme.invalid
from 78.46.139.4:443. Received 2 certificate(s), first certificate had
names "*.your-server.de, your-server.de", www.dimmpimmdo.de
(tls-sni-01): urn:acme:error:unauthorized :: The client lacks
sufficient authorization :: Incorrect validation certificate for
tls-sni-01 challenge. Requested
a01f31e77d5427f925e65d7ed3597bde.c3c91b4995fa2a3b9484da6efd527933.acme.invalid
from 78.46.139.4:443. Received 2 certificate(s), first certificate had
names "*.your-server.de, your-server.de"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: dimmpimmdo.de
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
9d0996868df8355f20bf9591ec10c327.6892ff54dfb25d32031497f82f244a5a.acme.invalid
from 78.46.139.4:443. Received 2 certificate(s), first certificate
had names "*.your-server.de, your-server.de"
Domain: www.dimmpimmdo.de
Type: unauthorized
*** Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
a01f31e77d5427f925e65d7ed3597bde.c3c91b4995fa2a3b9484da6efd527933.acme.invalid
from 78.46.139.4:443. Received 2 certificate(s), first certificate
had names "*.your-server.de, your-server.de"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
#########
/var/log/letsencrypt/letsencrypt.logbringt:2017-12-2711:43
:15,196:DEBUG:certbot.main:certbot version: 0.19.0
2017-12-27 11:43:15,196:DEBUG:certbot.main:Arguments: ['--standalone',
'--email', 'info at dimmpimmdo.de', '-d', 'dimmpimmdo.de', '-d',
'www.dimmpimmdo.de']
2017-12-27 11:43:15,196:DEBUG:certbot.main:Discovered plugins:PluginsRegistry
(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-12-27 11:43:15,207:DEBUG:certbot.log:Root logging level set at 20
2017-12-27 11:43:15,207:INFO:certbot.log:Saving debug log
to /var/log/letsencrypt/letsencrypt.log
2017-12-27 11:43:15,208:DEBUG:certbot.plugins.selection:Requested
authenticator standalone and installer None
2017-12-27 11:43:15,365:DEBUG:certbot.plugins.selection:Single
candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:AuthenticatorInitialized
: <certbot.plugins.standalone.Authenticator object at
0x7f7fdcde72d0>
Prep: True
2017-12-27 11:43:15,366:DEBUG:certbot.plugins.selection:Selected
authenticator <certbot.plugins.standalone.Authenticator object at
0x7f7fdcde72d0> and installer None
2017-12-27 11:43:15,366:INFO:certbot.plugins.selection:Plugins
selected: Authenticator standalone, Installer None
2017-12-27 11:43:15,371:DEBUG:certbot.main:Picked account:
<Account(RegistrationResource(body=Registration(status=None,
contact=(u'mailto:info at dimmpimmdo.de',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f7fdcddce90>)>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/26518905', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), ad0b0552f85d3c5d44e396024baf59a8, Meta(creation_host=u'zett77.czemi.dada', creation_dt=datetime.datetime(2017, 12, 26, 18, 17, 36, tzinfo=<UTC>)))>
2017-12-27 11:43:15,372:DEBUG:acme.client:Sending GET request tohttps://acme-v01.api.letsencrypt.org/directory.2017-12-2711
:43:15,373:DEBUG:urllib3.connectionpool:Starting new HTTPS
connection (1): acme-v01.api.letsencrypt.org
2017-12-27
11:43:16,607:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443
"GET /directory HTTP/1.1" 200 562
2017-12-27 11:43:16,608:DEBUG:acme.client:Received response:HTTP200Server
: nginx
Content-Type: application/json
Content-Length: 562
Replay-Nonce: kgs7Tl4Q4dJnO_nOG8VOopumvz3u8WCMc5d9GvJR5jM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 27 Dec 2017 11:43:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Dec 2017 11:43:16 GMT
Connection: keep-alive
{
"GXU3KsYkY5c":
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"meta": {
"terms-of-service":
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
},
"new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-12-27 11:43:16,609:INFO:certbot.main:Obtaining a new certificate
2017-12-27 11:43:16,609:DEBUG:acme.client:Requesting fresh nonce
2017-12-27 11:43:16,609:DEBUG:acme.client:Sending HEAD request tohttps://acme-v01.api.letsencrypt.org/acme/new-authz.2017-12-2711
:43:16,838:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443
"HEAD /acme/new-authz HTTP/1.1" 405 0
2017-12-27 11:43:16,840:DEBUG:acme.client:Received response:HTTP405Server
: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: 5jPBP3EZwrNWVjeAmDTzM6pf-VQpZPBv5c7ly6u4f_k
Expires: Wed, 27 Dec 2017 11:43:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Dec 2017 11:43:16 GMT
Connection: keep-alive
2017-12-27 11:43:16,840:DEBUG:acme.client:Storing nonce:5jPBP3EZwrNWVjeAmDTzM6pf-VQpZPBv5c7ly6u4f_k2017-12-2711
:43:16,841:DEBUG:acme.client:JWS payload:
{
"identifier": {
"type": "dns",
"value": "dimmpimmdo.de"
},
"resource": "new-authz"
}
2017-12-27 11:43:16,846:DEBUG:acme.client:Sending POST request tohttps://acme-v01.api.letsencrypt.org/acme/new-authz
:
{
"protected":
"eyJub25jZSI6ICI1alBCUDNFWndyTldWamVBbURUek02cGYtVlFwWlBCdjVjN2x5NnU0Zl9rIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAidXpSdDYzVU12N2w4Nm5mZGlpQnF5RVFTTDJDOFhSM3gtOHMxb3ZZZHVBSUplSjdvdzRhalp2Y2NzQXN4bjA3OTB5aEJLRWtuaVZ6UE96R0MwWFg5bS0zUnBuZnY1akNWaDRYSXpld1hrRnRUUmtJZ25vRHlMX2pYQU5Mb1k5Y0JPVndLcnhsVHVyN3BIci02NUFVNVVYWDItOF9SZkVIcDR6TXJGekNHY1BxUG5KZ1JKbzRoVWQ2dWJvSk16REpwV3p3UjhuNnR4YzFPRjBrMGdVWVBaQVNhZmJGVDQ4ZTZiU0RBTDdlNlNRSlNVc2kwZ3piUElhUGdLenBPbE1iZGVITGtNNkwzQUZsVDBZT1VMd2toRkFJY045Q0hLX0JWYVVYbkNFdERQQzFlTkQwdThPOVlNSFM3OERkdFNlSjhvLXhVRjAyM2lNUDh4endqa2t5QnlRIn19",
"payload":
"ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAidGhld2F5aWRvLmRlIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0",
"signature":
"Rbt8pA7hEhsPMbvdul-8Fgg71UyuxNP5JgHjXBmjGMxSOV_zXFTVQm_-1Ld25L8zVRhxhTeekOhzeZ_7WADvUvc47uWQRwLpy6ynSQYaEEtztyPuiGTeceeycf72jGGJel6H3gOPCV6Xqw5VJWzNzvvl7NllypABHjoH7tHF0ZnZMMIV5rtq0hV6uFyBE45jnQAZOFqDvSvktQZHOOHBoS0K4gLa7WJfyV1TjAW7sSXDgNlSgChGxApGgN8TvQhU75D1U2sUPph4QPVC8t-OAoNSSdakutLRokXYA2ezXjypzseTCO7W5NkHkQ6pVzdcoYvy0p7hmV_GqZuGcWTl8w"
}
2017-12-27
11:43:17,084:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443
"POST /acme/new-authz HTTP/1.1" 201 1000
2017-12-27 11:43:17,085:DEBUG:acme.client:Received response:HTTP201Server
: nginx
Content-Type: application/json
Content-Length: 1000
Boulder-Requester: 26518905
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location:https
://acme-v01.api.letsencrypt.org/acme/authz/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ
Replay-Nonce: d5s4JVOZp_YMNVFW5sqS1_nlATBaYI2yBFTHs1xWhAs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 27 Dec 2017 11:43:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Dec 2017 11:43:17 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "dimmpimmdo.de"
},
"status": "pending",
"expires": "2018-01-03T11:43:16.955588118Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ/2889762993",
"token": "IVG_R7gPukVZcvz9R-gvEWk4ZZiy4NFDjfTvl7sVhUE"
},
{
"type": "dns-01",
"status": "pending",
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ/2889762994",
"token": "N7_MskgMifH3axvHjfrGYL3dd8IUGVZnJ746LKvccpk"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ/2889762996",
"token": "Yxd9oB6WBc4PYkSGJlyGVblpAvMvk94fuoOXzw4j8Mg"
}
],
"combinations": [
[
1
],
[
0
],
[
2
]
]
}
2017-12-27 11:43:17,086:DEBUG:acme.client:Storing nonce:d5s4JVOZp_YMNVFW5sqS1_nlATBaYI2yBFTHs1xWhAs2017-12-2711
:43:17,087:DEBUG:acme.client:JWS payload:
{
"identifier": {
"type": "dns",
"value": "www.dimmpimmdo.de"
},
"resource": "new-authz"
}
2017-12-27 11:43:17,095:DEBUG:acme.client:Sending POST request tohttps://acme-v01.api.letsencrypt.org/acme/new-authz
:
{
"protected":
"eyJub25jZSI6ICJkNXM0SlZPWnBfWU1OVkZXNXNxUzFfbmxBVEJhWUkyeUJGVEhzMXhXaEFzIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAidXpSdDYzVU12N2w4Nm5mZGlpQnF5RVFTTDJDOFhSM3gtOHMxb3ZZZHVBSUplSjdvdzRhalp2Y2NzQXN4bjA3OTB5aEJLRWtuaVZ6UE96R0MwWFg5bS0zUnBuZnY1akNWaDRYSXpld1hrRnRUUmtJZ25vRHlMX2pYQU5Mb1k5Y0JPVndLcnhsVHVyN3BIci02NUFVNVVYWDItOF9SZkVIcDR6TXJGekNHY1BxUG5KZ1JKbzRoVWQ2dWJvSk16REpwV3p3UjhuNnR4YzFPRjBrMGdVWVBaQVNhZmJGVDQ4ZTZiU0RBTDdlNlNRSlNVc2kwZ3piUElhUGdLenBPbE1iZGVITGtNNkwzQUZsVDBZT1VMd2toRkFJY045Q0hLX0JWYVVYbkNFdERQQzFlTkQwdThPOVlNSFM3OERkdFNlSjhvLXhVRjAyM2lNUDh4endqa2t5QnlRIn19",
"payload":
"ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAid3d3LnRoZXdheWlkby5kZSIKICB9LCAKICAicmVzb3VyY2UiOiAibmV3LWF1dGh6Igp9",
"signature":
"JbsGZVx6XKPzqqrnZOQi1KMYesdK9oNCKHIoz-fSmDi9tW1aiQHt4aEOI3Wyl3sxBSRw0cfYVujcHonV-F6wQFAoU1UH1Qdvem_GsYdbR4QJqjG2438eolLTJP3xos699v6iTYiMUCtIMGwMC0nAyZeSqmL87d3gaRFD6slMbpso6LNPowjV7uG4RZnbxuPDa3Iw9rdzbM_ikkDXQXakp_E3rVH02gAAed0JhVbBnmi7qtFxXLtxI8Lh9VCBWzdAqmzYshG-HfHpiF03Ilg1ytJ5Llx1G8wrJOxCucRRoY7B0UgrYvc23yWDwFgLEW4H1lBK46tF3nCXpwKaBMPiJw"
}
2017-12-27
11:43:17,568:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443
"POST /acme/new-authz HTTP/1.1" 201 1004
2017-12-27 11:43:17,569:DEBUG:acme.client:Received response:HTTP201Server
: nginx
Content-Type: application/json
Content-Length: 1004
Boulder-Requester: 26518905
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location:https
://acme-v01.api.letsencrypt.org/acme/authz/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI
Replay-Nonce: iqks1zczIkoXIkv8Z7kkC9YIQsTo4IognoofvvVYYq4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 27 Dec 2017 11:43:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Dec 2017 11:43:17 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "www.dimmpimmdo.de"
},
"status": "pending",
"expires": "2018-01-03T11:43:17.340827956Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI/2889763031",
"token": "oNwjfXcFHcw4VQdMUVhrYGXSszU5YqcWn5fOhWYUcy4"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI/2889763033",
"token": "3VRwANG2fPcSqSCrwryKkamRciIy7hjgG5X_9MD79kU"
},
{
"type": "dns-01",
"status": "pending",
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI/2889763037",
"token": "x-CL7dLrhOoKTGjV_zksChAwh9DmIyDPraGN9KuB3SE"
}
],
"combinations": [
[
2
],
[
0
],
[
1
]
]
}
2017-12-27 11:43:17,569:DEBUG:acme.client:Storing nonce:iqks1zczIkoXIkv8Z7kkC9YIQsTo4IognoofvvVYYq42017-12-2711:43
:17,569:INFO:certbot.auth_handler:Performing the
following challenges:2017-12-2711:43
:17,570:INFO:certbot.auth_handler:tls-sni-01 challenge
for dimmpimmdo.de
2017-12-27 11:43:17,570:INFO:certbot.auth_handler:tls-sni-01 challenge
for www.dimmpimmdo.de2017-12-2711:43
:17,570:DEBUG:acme.standalone:Failed to bind to :443
using IPv4
2017-12-27 11:43:17,583:INFO:certbot.auth_handler:Waiting for
verification...
2017-12-27 11:43:17,583:DEBUG:acme.client:JWS payload:
{
"keyAuthorization":
"Yxd9oB6WBc4PYkSGJlyGVblpAvMvk94fuoOXzw4j8Mg.ueV8l8MJc8T4sejN9egot358W7Pl0MJxNsch0fpVGQU",
"type": "tls-sni-01",
"resource": "challenge"
}
2017-12-27 11:43:17,586:DEBUG:acme.client:Sending POST request tohttps://acme-v01.api.letsencrypt.org/acme/challenge/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ/2889762996
:
{
"protected":
"eyJub25jZSI6ICJpcWtzMXpjeklrb1hJa3Y4Wjdra0M5WUlRc1RvNElvZ25vb2Z2dlZZWXE0IiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAidXpSdDYzVU12N2w4Nm5mZGlpQnF5RVFTTDJDOFhSM3gtOHMxb3ZZZHVBSUplSjdvdzRhalp2Y2NzQXN4bjA3OTB5aEJLRWtuaVZ6UE96R0MwWFg5bS0zUnBuZnY1akNWaDRYSXpld1hrRnRUUmtJZ25vRHlMX2pYQU5Mb1k5Y0JPVndLcnhsVHVyN3BIci02NUFVNVVYWDItOF9SZkVIcDR6TXJGekNHY1BxUG5KZ1JKbzRoVWQ2dWJvSk16REpwV3p3UjhuNnR4YzFPRjBrMGdVWVBaQVNhZmJGVDQ4ZTZiU0RBTDdlNlNRSlNVc2kwZ3piUElhUGdLenBPbE1iZGVITGtNNkwzQUZsVDBZT1VMd2toRkFJY045Q0hLX0JWYVVYbkNFdERQQzFlTkQwdThPOVlNSFM3OERkdFNlSjhvLXhVRjAyM2lNUDh4endqa2t5QnlRIn19",
"payload":
"ewogICJrZXlBdXRob3JpemF0aW9uIjogIll4ZDlvQjZXQmM0UFlrU0dKbHlHVmJscEF2TXZrOTRmdW9PWHp3NGo4TWcudWVWOGw4TUpjOFQ0c2VqTjllZ290MzU4VzdQbDBNSnhOc2NoMGZwVkdRVSIsIAogICJ0eXBlIjogInRscy1zbmktMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9",
"signature":
"sO2vcelWLX814Q6wF-p1Zqq-TGk8K0aC_PrZ_S4pL0mqxs38RASWetchz9gUOdE1vwM8gwVKViGNq_18r-Q6CJPh_eGaMSU_YbbstfUHTS6lWmsRXBmBAWIq3B8GRpheFy_QzLaWjII2VQ0nVTymF5BdZMdYdq_ML-REudWdLdI08cqMhcSJBoaAYUYG9PX4uwK7YtKEyYqRj43Vzyk0IOFqQERioaYjbhzg7NK4dwc80Ajxop7EOhbj7LWku8jwcyr5uLb7QqETOzoE1-6ZOvYr-rkLuAiqzxtyJhevAgnn7ai4e914rb0hMAEyROkDPfnIqiGUF_po--yT8aaJnQ"
}
2017-12-27
11:43:17,855:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443
"POST /acme/challenge/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ/2889762996 HTTP/1.1" 202 339
2017-12-27 11:43:17,856:DEBUG:acme.client:Received response:HTTP202Server
: nginx
Content-Type: application/json
Content-Length: 339
Boulder-Requester: 26518905
Link:
<https://acme-v01.api.letsencrypt.org/acme/authz/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ>;rel="up"
Location:https
://acme-v01.api.letsencrypt.org/acme/challenge/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ/2889762996
Replay-Nonce: OTzzlfv2JEsYTNz5b58La_G2vafahN9NCgBF2EFQRQA
Expires: Wed, 27 Dec 2017 11:43:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Dec 2017 11:43:17 GMT
Connection: keep-alive
{
"type": "tls-sni-01",
"status": "pending",
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ/2889762996",
"token": "Yxd9oB6WBc4PYkSGJlyGVblpAvMvk94fuoOXzw4j8Mg",
"keyAuthorization":
"Yxd9oB6WBc4PYkSGJlyGVblpAvMvk94fuoOXzw4j8Mg.ueV8l8MJc8T4sejN9egot358W7Pl0MJxNsch0fpVGQU"
}
2017-12-27 11:43:17,857:DEBUG:acme.client:Storing nonce:OTzzlfv2JEsYTNz5b58La_G2vafahN9NCgBF2EFQRQA2017-12-2711
:43:17,857:DEBUG:acme.client:JWS payload:
{
"keyAuthorization":
"3VRwANG2fPcSqSCrwryKkamRciIy7hjgG5X_9MD79kU.ueV8l8MJc8T4sejN9egot358W7Pl0MJxNsch0fpVGQU",
"type": "tls-sni-01",
"resource": "challenge"
}
2017-12-27 11:43:17,862:DEBUG:acme.client:Sending POST request tohttps://acme-v01.api.letsencrypt.org/acme/challenge/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI/2889763033
:
{
"protected":
"eyJub25jZSI6ICJPVHp6bGZ2MkpFc1lUTno1YjU4TGFfRzJ2YWZhaE45TkNnQkYyRUZRUlFBIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAidXpSdDYzVU12N2w4Nm5mZGlpQnF5RVFTTDJDOFhSM3gtOHMxb3ZZZHVBSUplSjdvdzRhalp2Y2NzQXN4bjA3OTB5aEJLRWtuaVZ6UE96R0MwWFg5bS0zUnBuZnY1akNWaDRYSXpld1hrRnRUUmtJZ25vRHlMX2pYQU5Mb1k5Y0JPVndLcnhsVHVyN3BIci02NUFVNVVYWDItOF9SZkVIcDR6TXJGekNHY1BxUG5KZ1JKbzRoVWQ2dWJvSk16REpwV3p3UjhuNnR4YzFPRjBrMGdVWVBaQVNhZmJGVDQ4ZTZiU0RBTDdlNlNRSlNVc2kwZ3piUElhUGdLenBPbE1iZGVITGtNNkwzQUZsVDBZT1VMd2toRkFJY045Q0hLX0JWYVVYbkNFdERQQzFlTkQwdThPOVlNSFM3OERkdFNlSjhvLXhVRjAyM2lNUDh4endqa2t5QnlRIn19",
"payload":
"ewogICJrZXlBdXRob3JpemF0aW9uIjogIjNWUndBTkcyZlBjU3FTQ3J3cnlLa2FtUmNpSXk3aGpnRzVYXzlNRDc5a1UudWVWOGw4TUpjOFQ0c2VqTjllZ290MzU4VzdQbDBNSnhOc2NoMGZwVkdRVSIsIAogICJ0eXBlIjogInRscy1zbmktMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9",
"signature":
"C054UkbQ1SBjOaaTjLR7ufJ36-SkwIgahnXOI8sZrgCgnp-IASbDoycHAr-y7UokBJgPXUr4UDodmOGNZMeTnsvfqcZfk9e_scWsL4PzNeR-3DOPng9ziGylFZkrugFoO8xnDavM-AGHrhi_SjmkyxfYXhiU_RHNTeYPYq3Nc_BdsB6KuyHCMVfaov0hlxvuW6xBZmTIUVHAVloJ2TGKCCRcvgEXlDOZ9kwYPPUBbjq_IkMkQgnEjk6fCnCfOELrBQrQ5Ar12nj4HDiVD6Pd87L14qAxn41roFF77mt2XopYzBAcvFlBUi5H7gjqy3ur9XV5FpXiSlSyYXAhCuN_BQ"
}
2017-12-27
11:43:18,175:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443
"POST /acme/challenge/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI/2889763033 HTTP/1.1" 202 339
2017-12-27 11:43:18,175:DEBUG:acme.client:Received response:HTTP202Server
: nginx
Content-Type: application/json
Content-Length: 339
Boulder-Requester: 26518905
Link:
<https://acme-v01.api.letsencrypt.org/acme/authz/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI>;rel="up"
Location:https
://acme-v01.api.letsencrypt.org/acme/challenge/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI/2889763033
Replay-Nonce: 7h3-PCnRVGDF7lfjY04HsddWydcKxC50OPKQ5djxQt4
Expires: Wed, 27 Dec 2017 11:43:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Dec 2017 11:43:18 GMT
Connection: keep-alive
{
"type": "tls-sni-01",
"status": "pending",
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI/2889763033",
"token": "3VRwANG2fPcSqSCrwryKkamRciIy7hjgG5X_9MD79kU",
"keyAuthorization":
"3VRwANG2fPcSqSCrwryKkamRciIy7hjgG5X_9MD79kU.ueV8l8MJc8T4sejN9egot358W7Pl0MJxNsch0fpVGQU"
}
2017-12-27 11:43:18,176:DEBUG:acme.client:Storing nonce:7h3-PCnRVGDF7lfjY04HsddWydcKxC50OPKQ5djxQt42017-12-2711:43
:21,179:DEBUG:acme.client:Sending GET request tohttps://acme-v01.api.letsencrypt.org/acme/authz/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ.2017-12-2711
:43:21,414:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443
"GET /acme/authz/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ HTTP/1.1" 200 1748
2017-12-27 11:43:21,415:DEBUG:acme.client:Received response:HTTP200Server
: nginx
Content-Type: application/json
Content-Length: 1748
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: EFkOmxIc-891vQ68kjYzZY7llyIDDRIm7GsezXRZqms
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 27 Dec 2017 11:43:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Dec 2017 11:43:21 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "dimmpimmdo.de"
},
"status": "invalid",
"expires": "2018-01-03T11:43:16Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ/2889762993",
"token": "IVG_R7gPukVZcvz9R-gvEWk4ZZiy4NFDjfTvl7sVhUE"
},
{
"type": "dns-01",
"status": "pending",
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ/2889762994",
"token": "N7_MskgMifH3axvHjfrGYL3dd8IUGVZnJ746LKvccpk"
},
{
"type": "tls-sni-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "Incorrect validation certificate for tls-sni-01
challenge. Requested
9d0996868df8355f20bf9591ec10c327.6892ff54dfb25d32031497f82f244a5a.acme.invalid from 78.46.139.4:443. Received 2 certificate(s), first certificate had names \"*.your-server.de, your-server.de\"",
"status": 403
},
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/KAb1O-8N6mSwWdkZDE6A70RQLWiiMbQT9j5dDefc3vQ/2889762996",
"token": "Yxd9oB6WBc4PYkSGJlyGVblpAvMvk94fuoOXzw4j8Mg",
"keyAuthorization":
"Yxd9oB6WBc4PYkSGJlyGVblpAvMvk94fuoOXzw4j8Mg.ueV8l8MJc8T4sejN9egot358W7Pl0MJxNsch0fpVGQU",
"validationRecord": [
{
"hostname": "dimmpimmdo.de",
"port": "443",
"addressesResolved": [
"78.46.139.4"
],
"addressUsed": "78.46.139.4",
"addressesTried": []
}
]
}
],
"combinations": [
[
1
],
[
0
],
[
2
]
]
}
2017-12-27 11:43:21,416:DEBUG:acme.client:Sending GET request tohttps://acme-v01.api.letsencrypt.org/acme/authz/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI.2017-12-2711
:43:21,634:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443
"GET /acme/authz/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI HTTP/1.1" 200 1756
2017-12-27 11:43:21,635:DEBUG:acme.client:Received response:HTTP200Server
: nginx
Content-Type: application/json
Content-Length: 1756
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: w23SWHx6r9WCjt1nnUsaOWQ2ApgEeETboOypmAR2rrY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 27 Dec 2017 11:43:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Dec 2017 11:43:21 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "www.dimmpimmdo.de"
},
"status": "invalid",
"expires": "2018-01-03T11:43:17Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI/2889763031",
"token": "oNwjfXcFHcw4VQdMUVhrYGXSszU5YqcWn5fOhWYUcy4"
},
{
"type": "tls-sni-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "Incorrect validation certificate for tls-sni-01
challenge. Requested
a01f31e77d5427f925e65d7ed3597bde.c3c91b4995fa2a3b9484da6efd527933.acme.invalid from 78.46.139.4:443. Received 2 certificate(s), first certificate had names \"*.your-server.de, your-server.de\"",
"status": 403
},
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI/2889763033",
"token": "3VRwANG2fPcSqSCrwryKkamRciIy7hjgG5X_9MD79kU",
"keyAuthorization":
"3VRwANG2fPcSqSCrwryKkamRciIy7hjgG5X_9MD79kU.ueV8l8MJc8T4sejN9egot358W7Pl0MJxNsch0fpVGQU",
"validationRecord": [
{
"hostname": "www.dimmpimmdo.de",
"port": "443",
"addressesResolved": [
"78.46.139.4"
],
"addressUsed": "78.46.139.4",
"addressesTried": []
}
]
},
{
"type": "dns-01",
"status": "pending",
"uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/4ZOlrzqCox58VBvyMKO-3glx-2k4mf5wovH0hlXy_rI/2889763037",
"token": "x-CL7dLrhOoKTGjV_zksChAwh9DmIyDPraGN9KuB3SE"
}
],
"combinations": [
[
2
],
[
0
],
[
1
]
]
}
2017-12-27 11:43:21,636:DEBUG:certbot.reporter:Reporting to user: The
following errors were reported by the server:Domain
: dimmpimmdo.de
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
9d0996868df8355f20bf9591ec10c327.6892ff54dfb25d32031497f82f244a5a.acme.invalid
from 78.46.139.4:443. Received 2 certificate(s), first certificate had
names "*.your-server.de, your-server.de"
Domain: www.dimmpimmdo.deType
: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
a01f31e77d5427f925e65d7ed3597bde.c3c91b4995fa2a3b9484da6efd527933.acme.invalid
from 78.46.139.4:443. Received 2 certificate(s), first certificate had
names "*.your-server.de, your-server.de"
To fix these errors, please make sure that your domain name was entered
correctly and the DNS A/AAAA record(s) for that domain contain(s) the
right IP address.
2017-12-27 11:43:21,636:INFO:certbot.auth_handler:Cleaning up challenges
2017-12-27 11:43:21,636:DEBUG:certbot.plugins.standalone:Stopping
server at :::443...
2017-12-27 11:43:22,076:DEBUG:certbot.log:Exiting abnormally:Traceback
(most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.19.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 861, in
main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 786, in
certonly
lineage = _get_and_save_cert(le_client, config, domains, certname,
lineage)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 85, in
_get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 357,
in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 318,
in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line
81, in get_authorizations
self._respond(resp, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line
138, in _respond
self._poll_challenges(chall_update, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line
202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. dimmpimmdo.de
(tls-sni-01): urn:acme:error:unauthorized :: The client lacks
sufficient authorization :: Incorrect validation certificate for
tls-sni-01 challenge. Requested
9d0996868df8355f20bf9591ec10c327.6892ff54dfb25d32031497f82f244a5a.acme.invalid
from 78.46.139.4:443. Received 2 certificate(s), first certificate had
names "*.your-server.de, your-server.de", www.dimmpimmdo.de
(tls-sni-01): urn:acme:error:unauthorized :: The client lacks
sufficient authorization :: Incorrect validation certificate for
tls-sni-01 challenge. Requested
a01f31e77d5427f925e65d7ed3597bde.c3c91b4995fa2a3b9484da6efd527933.acme.invalid
from 78.46.139.4:443. Received 2 certificate(s), first certificate had
names "*.your-server.de, your-server.de"
Mehr Informationen über die Mailingliste linux-l