All renewal attempts failed, have 2 certs on different servers


#1

Some context: I have two servers, one with an app and one with a marketing website. Domains psisix.com and www.psisix.com are in the web server, and domain app.psisix.com is in the app server (Apache + Tomcat). Both servers have letsencrypt certificates. Now I need to update the certificates for the web server and it seems to read stuff associated with the app server. Not sure how to proceed on this scenario. Please see command’s output.

My domain is: psisix.com

I ran this command: letsencrypt-auto renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/psisix.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.psisix.com
tls-sni-01 challenge for psisix.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (psisix.com) from /etc/letsencrypt/renewal/psisix.com.conf produced an unexpected error: Failed authorization procedure. www.psisix.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 5cec245098bed796c474c1cf5e8eebf7.2096e385ca0fb469de1fe3783bd96dcd.acme.invalid from [2600:3c03::f03c:91ff:fe59:8841]:443. Received 2 certificate(s), first certificate had names “app.psisix.com”, psisix.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 6a88cf4e5f67d053a9df959ba233e537.4728b8fc514b9ee369f18b0217dde687.acme.invalid from [2600:3c03::f03c:91ff:fe59:8841]:443. Received 2 certificate(s), first certificate had names “app.psisix.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/psisix.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/psisix.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.psisix.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    5cec245098bed796c474c1cf5e8eebf7.2096e385ca0fb469de1fe3783bd96dcd.acme.invalid
    from [2600:3c03::f03c:91ff:fe59:8841]:443. Received 2
    certificate(s), first certificate had names “app.psisix.com

    Domain: psisix.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    6a88cf4e5f67d053a9df959ba233e537.4728b8fc514b9ee369f18b0217dde687.acme.invalid
    from [2600:3c03::f03c:91ff:fe59:8841]:443. Received 2
    certificate(s), first certificate had names “app.psisix.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don’t know): yep

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi,

Can you please check your IPV6 record?

You might accidentally set the main domain 's IPV6 to the app server… (Correct your IPV6 record & try again)

When I visit the website http://psisix.com/ on my network, it simply returns 404… And I’m not able to check the IPV4 version…(since my home & mobile network are all V6) but I guess it’s not going to be an 404 on IPV4…

This test proves my idea…https://letsdebug.net/psisix.com/3173

Thank you


#3

Thanks,

Checked the records in the DNS:

For the empty and www hostnames I have: 162.216.16.46 and 2600:3c03::f03c:91ff:fe59:8841

For the app hostname I only have IPv4 45.79.162.241 (the IP of the app server)

I’ve been receiving attacks, so some IP ranges might be clocked, are you in Russia, China or India? For me it works OK, I can see both https://psisix.com/ and https://www.psisix.com/ produce the same result. The website is locale dependent, so for different locations it might return the site in english or spanish.

Will dig more about the letsdebug issue.


#4

Hi,

I’m actually located in U.S…

The IPV4 version of your site www seems to work correctly… However the IPv6 one definitely are pointed to the app server ( instead of www server)
More detail: the IPV6 address 2600:3c03::f03c:91ff:fe59:8841 respond to have the same software version as the IPV4 version of your app site…

If you could, try to remove the IPV6 address for a few minutes and run the certbot , the result will change. ( Then you could choose to add IPV6 back, but I guess it will start to produce the same failure since the IPV6 address is assigned to the app server…)

Thank you


#5

Checking the ifconfig on both servers, it seems that is the issue, saw almost the same IP but the last digits are different. Let me try changing that.


#6

DNS updated the change on the AAAA record and it worked!!!

Thanks now I got my certificate for the next 3 months :slight_smile:


#7

BTW, can you check if you can see the site know.

Also can you provide me your public IP to double check the blocked IPs?

Thanks!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.