No Let's encrypt certificate for folatt.duniter.nohost.me

folaht · October 24, 2017, 5:25am

My certificate is self-signed at the moment.

admin@Xroklaus:~ $ sudo yunohost domain cert-status
certificates: 
  folatt.duniter.nohost.me: 
    CA_type: Self-signed
    summary: WARNING
    validity: 3649

This is what happens when I try to install a certificate:

admin@YunoHost:~ $ sudo yunohost domain cert-install --no-checks
Success! The SSOwat configuration has been generated
Success! The configuration has been updated for service 'dnsmasq'
Error: folatt.duniter.nohost.me challenge did not pass: {u'status': u'invalid', 
u'validationRecord': [{u'addressesResolved': [], u'url': 
u'http://folatt.duniter.nohost.me/.well-known/acme-challenge
/uHngdG3L86UxjldvHA7B5hQJ3dXbtgfX7wVB4RuFOmM', 
u'hostname': u'folatt.duniter.nohost.me', u'addressesTried': [], u'addressUsed': 
u'', u'port': u'80'}], u'keyAuthorization': 
u'uHngdG3L86UxjldvHA7B5hQJ3dXbtgfX7wVB4RuFOmM.iBWx87ks4TIxVSQ84s1Jac-
NFcHfA7CJFZ9rhx7UlJA', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge
/eseIJ0nFOeiPoIRyAa0kSb4hO2ewNTGP3kHyXBRlh0E/2289458023', u'token': 
u'uHngdG3L86UxjldvHA7B5hQJ3dXbtgfX7wVB4RuFOmM', u'error': {u'status': 400, u'type': 
u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up A for 
folatt.duniter.nohost.me'}, u'type': u'http-01'}
Error: Certificate installation for folatt.duniter.nohost.me failed !
Exception: [Errno 22] Signing the new certificate failed

/etc/hosts

127.0.0.1       localhost folatt.duniter.nohost.me
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

127.0.1.1       Xroklaus

/etc/hostname

Xroklaus

Also, how do I get the certificate to sign for https again? I recall that with my other server I had to specifically demand the certificate to sign it for https.

Aleks · October 24, 2017, 7:19am

Hi there,

well, with nohost.me unfortunately you do not have ‘full control’ of the domain name. You may be able to have foo.nohost.me with proper DNS records for a YunoHost server (A record, stuff for XMPP and mail) but for now you cannot have control over bar.foo.nohost.me

Not sure I get your question … A certificate is a standard format and can be used in any SSL context, in particular, HTTPS. I don’t know any context for which you need to ask to sign a certificate specifically for HTTPS

folaht · October 24, 2017, 7:25pm

I did a retry, this time with the address duniter-folatt.nohost.me.

This time I get a different error:

admin@duniter-folatt:~ $ sudo yunohost domain cert-install --no-checks
Success! The SSOwat configuration has been generated
Success! The configuration has been updated for service 'dnsmasq'
Error: duniter-folatt.nohost.me challenge did not pass: {u'status': u'invalid', u'validationRecord': 
[{u'addressesResolved': [u'83.163.103.119', u'2001:983:8610:1:15e7:898b:aac8:6eff'], u'url': 
u'https://duniter-folatt.nohost.me/yunohost/admin', u'hostname': u'duniter-folatt.nohost.me', 
u'addressesTried': [], u'addressUsed': u'83.163.103.119', u'port': u'443'}, {u'addressesResolved': 
[u'83.163.103.119', u'2001:983:8610:1:15e7:898b:aac8:6eff'], u'url': u'https://duniter-folatt.nohost.me
/yunohost/admin/', u'hostname': u'duniter-folatt.nohost.me', u'addressesTried': [], u'addressUsed': 
u'83.163.103.119', u'port': u'443'}, {u'addressesResolved': [u'83.163.103.119', 
u'2001:983:8610:1:15e7:898b:aac8:6eff'], u'url': u'http://duniter-folatt.nohost.me/.well-known/acme-
challenge/pOWATBoqeWxxK1Ug4Ox-Zv-JrwHZGL0_ZqzxIhowI98', u'hostname': u'duniter-folatt.nohost.me', 
u'addressesTried': [u'2001:983:8610:1:15e7:898b:aac8:6eff'], u'addressUsed': u'83.163.103.119', u'port': 
u'80'}], u'keyAuthorization': u'pOWATBoqeWxxK1Ug4Ox-Zv-
JrwHZGL0_ZqzxIhowI98.iBWx87ks4TIxVSQ84s1Jac-NFcHfA7CJFZ9rhx7UlJA', u'uri': u'https://acme-
v01.api.letsencrypt.org/acme/challenge/YhCt06owcAtin1e_5sSMHjs255GdkQ7TpVtXGLseVAg/2295369157', 
u'token': u'pOWATBoqeWxxK1Ug4Ox-Zv-JrwHZGL0_ZqzxIhowI98', u'error': {u'status': 403, u'type': 
u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://duniter-folatt.nohost.me/.well-
known/acme-challenge/pOWATBoqeWxxK1Ug4Ox-Zv-JrwHZGL0_ZqzxIhowI98: "<!DOCTYPE html>\n<html 
lang="en">\n<head>\n    <meta charset="utf-8">\n    <title>YunoHost admin</title>\n    <meta http-
equiv="cache"'}, u'type': u'http-01'}
Error: Certificate installation for duniter-folatt.nohost.me failed !
Exception: [Errno 22] Signing the new certificate failed

Aleks · October 24, 2017, 8:28pm

Well, is there a reason why you did --no-checks ? What happens if you don’t add this option ? Sounds like for some reason going to http://duniter-folatt.nohost.me/.well- known/acme-challenge/ redirects to the web admin…

folaht · October 25, 2017, 5:40am

The only reason was that it didn’t work before. Not using the option fixed the problem.

And since I have two domains pointing to the same ipv4 address, it’s a bit of a problem.
I’m not sure how to solve that issue other than to hope ipv4 will become redundant one day and for the mean time use a different https port for my private server.