Some context: I have two servers, one with an app and one with a marketing website. Domains psisix.com and www.psisix.com are in the web server, and domain app.psisix.com is in the app server (Apache + Tomcat). Both servers have letsencrypt certificates. Now I need to update the certificates for the web server and it seems to read stuff associated with the app server. Not sure how to proceed on this scenario. Please see command’s output.
My domain is: psisix.com
I ran this command: letsencrypt-auto renew
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/psisix.com.conf
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.psisix.com
tls-sni-01 challenge for psisix.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (psisix.com) from /etc/letsencrypt/renewal/psisix.com.conf produced an unexpected error: Failed authorization procedure. www.psisix.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 5cec245098bed796c474c1cf5e8eebf7.2096e385ca0fb469de1fe3783bd96dcd.acme.invalid from [2600:3c03::f03c:91ff:fe59:8841]:443. Received 2 certificate(s), first certificate had names “app.psisix.com”, psisix.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 6a88cf4e5f67d053a9df959ba233e537.4728b8fc514b9ee369f18b0217dde687.acme.invalid from [2600:3c03::f03c:91ff:fe59:8841]:443. Received 2 certificate(s), first certificate had names “app.psisix.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/psisix.com/fullchain.pem (failure)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/psisix.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: www.psisix.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
5cec245098bed796c474c1cf5e8eebf7.2096e385ca0fb469de1fe3783bd96dcd.acme.invalid
from [2600:3c03::f03c:91ff:fe59:8841]:443. Received 2
certificate(s), first certificate had names “app.psisix.com”Domain: psisix.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
6a88cf4e5f67d053a9df959ba233e537.4728b8fc514b9ee369f18b0217dde687.acme.invalid
from [2600:3c03::f03c:91ff:fe59:8841]:443. Received 2
certificate(s), first certificate had names “app.psisix.com”To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): Apache 2.4.29
The operating system my web server runs on is (include version): Ubuntu 18.04
I can login to a root shell on my machine (yes or no, or I don’t know): yep
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no