folaht
October 24, 2017, 5:25am
1
My certificate is self-signed at the moment.
admin@Xroklaus:~ $ sudo yunohost domain cert-status
certificates:
folatt.duniter.nohost.me:
CA_type: Self-signed
summary: WARNING
validity: 3649
This is what happens when I try to install a certificate:
admin@YunoHost:~ $ sudo yunohost domain cert-install --no-checks
Success! The SSOwat configuration has been generated
Success! The configuration has been updated for service 'dnsmasq'
Error: folatt.duniter.nohost.me challenge did not pass: {u'status': u'invalid',
u'validationRecord': [{u'addressesResolved': [], u'url':
u'http://folatt.duniter.nohost.me/.well-known/acme-challenge
/uHngdG3L86UxjldvHA7B5hQJ3dXbtgfX7wVB4RuFOmM',
u'hostname': u'folatt.duniter.nohost.me', u'addressesTried': [], u'addressUsed':
u'', u'port': u'80'}], u'keyAuthorization':
u'uHngdG3L86UxjldvHA7B5hQJ3dXbtgfX7wVB4RuFOmM.iBWx87ks4TIxVSQ84s1Jac-
NFcHfA7CJFZ9rhx7UlJA', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge
/eseIJ0nFOeiPoIRyAa0kSb4hO2ewNTGP3kHyXBRlh0E/2289458023', u'token':
u'uHngdG3L86UxjldvHA7B5hQJ3dXbtgfX7wVB4RuFOmM', u'error': {u'status': 400, u'type':
u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up A for
folatt.duniter.nohost.me'}, u'type': u'http-01'}
Error: Certificate installation for folatt.duniter.nohost.me failed !
Exception: [Errno 22] Signing the new certificate failed
/etc/hosts
127.0.0.1 localhost folatt.duniter.nohost.me
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 Xroklaus
/etc/hostname
Xroklaus
Also, how do I get the certificate to sign for https again? I recall that with my other server I had to specifically demand the certificate to sign it for https.
Aleks
October 24, 2017, 7:19am
2
Hi there,
well, with nohost.me unfortunately you do not have ‘full control’ of the domain name. You may be able to have foo.nohost.me
with proper DNS records for a YunoHost server (A record, stuff for XMPP and mail) but for now you cannot have control over bar.foo.nohost.me
Not sure I get your question … A certificate is a standard format and can be used in any SSL context, in particular, HTTPS. I don’t know any context for which you need to ask to sign a certificate specifically for HTTPS
1 Like
folaht
October 24, 2017, 7:25pm
3
I did a retry, this time with the address duniter-folatt.nohost.me .
This time I get a different error:
admin@duniter-folatt:~ $ sudo yunohost domain cert-install --no-checks
Success! The SSOwat configuration has been generated
Success! The configuration has been updated for service 'dnsmasq'
Error: duniter-folatt.nohost.me challenge did not pass: {u'status': u'invalid', u'validationRecord':
[{u'addressesResolved': [u'83.163.103.119', u'2001:983:8610:1:15e7:898b:aac8:6eff'], u'url':
u'https://duniter-folatt.nohost.me/yunohost/admin', u'hostname': u'duniter-folatt.nohost.me',
u'addressesTried': [], u'addressUsed': u'83.163.103.119', u'port': u'443'}, {u'addressesResolved':
[u'83.163.103.119', u'2001:983:8610:1:15e7:898b:aac8:6eff'], u'url': u'https://duniter-folatt.nohost.me
/yunohost/admin/', u'hostname': u'duniter-folatt.nohost.me', u'addressesTried': [], u'addressUsed':
u'83.163.103.119', u'port': u'443'}, {u'addressesResolved': [u'83.163.103.119',
u'2001:983:8610:1:15e7:898b:aac8:6eff'], u'url': u'http://duniter-folatt.nohost.me/.well-known/acme-
challenge/pOWATBoqeWxxK1Ug4Ox-Zv-JrwHZGL0_ZqzxIhowI98', u'hostname': u'duniter-folatt.nohost.me',
u'addressesTried': [u'2001:983:8610:1:15e7:898b:aac8:6eff'], u'addressUsed': u'83.163.103.119', u'port':
u'80'}], u'keyAuthorization': u'pOWATBoqeWxxK1Ug4Ox-Zv-
JrwHZGL0_ZqzxIhowI98.iBWx87ks4TIxVSQ84s1Jac-NFcHfA7CJFZ9rhx7UlJA', u'uri': u'https://acme-
v01.api.letsencrypt.org/acme/challenge/YhCt06owcAtin1e_5sSMHjs255GdkQ7TpVtXGLseVAg/2295369157',
u'token': u'pOWATBoqeWxxK1Ug4Ox-Zv-JrwHZGL0_ZqzxIhowI98', u'error': {u'status': 403, u'type':
u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://duniter-folatt.nohost.me/.well-
known/acme-challenge/pOWATBoqeWxxK1Ug4Ox-Zv-JrwHZGL0_ZqzxIhowI98: "<!DOCTYPE html>\n<html
lang="en">\n<head>\n <meta charset="utf-8">\n <title>YunoHost admin</title>\n <meta http-
equiv="cache"'}, u'type': u'http-01'}
Error: Certificate installation for duniter-folatt.nohost.me failed !
Exception: [Errno 22] Signing the new certificate failed
Aleks
October 24, 2017, 8:28pm
4
Well, is there a reason why you did --no-checks
? What happens if you don’t add this option ? Sounds like for some reason going to http://duniter-folatt.nohost.me/.well- known/acme-challenge/
redirects to the web admin…
1 Like
folaht
October 25, 2017, 5:40am
5
The only reason was that it didn’t work before. Not using the option fixed the problem.
And since I have two domains pointing to the same ipv4 address, it’s a bit of a problem.
I’m not sure how to solve that issue other than to hope ipv4 will become redundant one day and for the mean time use a different https port for my private server.