Can't get ACME certs signed for new domains


Im having issues to get ACME certs signed for new domains. I have my primary domain running on an Let´s encrypt cert. This domain i use for logging in. But now i have a nextcloud instance on my on a subdomain where i want a signed cert but i get some error when trying to issue one.

I have port 80, 443 and 5222 open and reachable from the internet. I have no warning in the diagnosis related to the DNS

force: false
no_checks: false
staging: false
ended_at: 2021-08-11 21:02:44.387445
error: 'Certificate installation for nc.domain2.tld failed !

Exception: Could not sign the new certificate’
interface: api
operation: letsencrypt_cert_install
parent: null

    • domain
    • nc.domain2.tld
      started_at: 2021-08-11 21:02:33.484088
      success: false
      yunohost_version: 4.2.7


2021-08-11 23:02:33,501: DEBUG - Making sure tmp folders exists…
2021-08-11 23:02:33,506: DEBUG - Reusing IPv4 from cache: xx.xx.xx.xx
2021-08-11 23:02:33,507: DEBUG - Reusing IPv6 from cache: None
2021-08-11 23:02:33,509: DEBUG - Prepare key and certificate signing request (CSR) for nc.domain2.tld…
2021-08-11 23:02:39,146: DEBUG - Saving to /tmp/acme-challenge-private/nc.domain2.tld.csr.
2021-08-11 23:02:39,147: DEBUG - Now using ACME Tiny to sign the certificate…
2021-08-11 23:02:39,147: INFO - Parsing account key…
2021-08-11 23:02:39,170: INFO - Parsing CSR…
2021-08-11 23:02:39,191: INFO - Found domains: nc.domain2.tld
2021-08-11 23:02:39,193: INFO - Getting directory…
2021-08-11 23:02:39,848: INFO - Directory found!
2021-08-11 23:02:39,849: INFO - Registering account…
2021-08-11 23:02:41,315: INFO - Already registered!
2021-08-11 23:02:41,317: INFO - Creating new order…
2021-08-11 23:02:42,837: INFO - Order created!
2021-08-11 23:02:44,310: INFO - Verifying nc.domain2.tld…
2021-08-11 23:02:44,384: ERROR - Wrote file to /tmp/acme-challenge-public/AP_DCRyKVNfpZ03CXeZkZPPQAslYNPfzCnsx3-LOSbY, but couldn’t download http://nc.domain2.tld/.well-known/acme-challenge/AP_DCRyKVNfpZ03CXeZkZPPQAslYNPfzCnsx3-LOSbY: Error:
Url: http://nc.domain2.tld/.well-known/acme-challenge/AP_DCRyKVNfpZ03CXeZkZPPQAslYNPfzCnsx3-LOSbY
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1056)>
2021-08-11 23:02:44,386: ERROR - Certificate installation for nc.domain2.tld failed !
Exception: Could not sign the new certificate

< Blockquote

Can you tell if maybe the diagnosis is complaining about a custom /etc/resolv.conf ?

This may do the trick to solve the issue:

(N.B. : you have to be logged as root. If you’re logged as admin, you can become root with sudo -i)

echo 'nc.domain2.tld' > /etc/resolv.conf

(replace nc.domain2.tld by the actual domain name)

no sorry, but the problem remains. Also noticed that i cant renew the ACME cert for the domain that worked (yh1.domain.tld)
The setup is as follows:
*- I use a DNS at my ISP to point .domain.tld to my firewall
- My firewall portforwards all 80/443 traffic to my YH server whitch is on a separate DMZ LAN
- when i do a dig domain.tld (or nc.domain.tld) from my YH server it point to the public IP of the router

Is this correct?

When i look at the acme- challange folder it looks like this:

root@yh1:/tmp/acme-challenge-public# ls -l
total 20
-rw-r–r-- 1 root root 87 Aug 11 23:12 582YWCiOOnLbZasiSZY-PWYwyuuLnjf8PXoqEVjCV U4
-rw-r–r-- 1 root root 87 Aug 12 09:24 AP_DCRyKVNfpZ03CXeZkZPPQAslYNPfzCnsx3-LOS bY
-rw-r–r-- 1 root root 87 Aug 12 09:10 mWA-rWaPnTIGKOch-mtMX1S-QNCKPgFBDc1D_mtqF Sc
-rw-r–r-- 1 root root 87 Aug 12 08:09 NdIaFcu9AtLxWHNb1sCFQwIZKAUdSOrioVphp3nDC wg
-rw-r–r-- 1 root root 87 Aug 12 08:09 zglDumItyJlTZq9qayc2tw3BPkxbq-Gj-pA8671x6 cM

When i look in my resolf.conf it looks like this:
cat /etc/resolv.conf
Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
search domain.tld

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.