Having used Let’s Encrypt for quite some time now, I’m suddenly getting authorization errors when trying to renew my certificate. I think this may be related to my adding an additional hostname, rehash.altmode.net, to my certificate (although this worked the first time, apparently.
Authorization fails because it is expecting a certificate for (for example)
c954623697823548af59563dd1c37ae9.1cf61a4662aad873049ed8fe2d763bb4.acme.invalid
and getting a certificate for
d0a523b0300eb48035b680c5132880b0.e74f2b5ce0f3595d184567d06f633244.acme.invalid
The expected certificate name is different every time I try, but the received certificate (d0a523…) is the same every time. Furthermore, this is apparently the certificate name used for the rehash.altmode.net challenge.
In reading through other cases, it sounded like there was some doubt about whether this works correctly with IPv6, and as you can see (below) I am using IPv6.
Console output below; can also provide verbose output if needed.
root@altmode:/var/log/letsencrypt# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/altmode.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for altmode.net
tls-sni-01 challenge for rehash.altmode.net
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/altmode.net.conf produced an unexpected error: Failed authorization procedure. altmode.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested e5f1b203fb9015eb8807021676e9b589.16d972a4ecbb96e8d26747b27825d05e.acme.invalid from [2607:f2f8:a994::32ca]:443. Received 1 certificate(s), first certificate had names "d0a523b0300eb48035b680c5132880b0.e74f2b5ce0f3595d184567d06f633244.acme.invalid, dummy". Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/altmode.net/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: altmode.net
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
e5f1b203fb9015eb8807021676e9b589.16d972a4ecbb96e8d26747b27825d05e.acme.invalid
from [2607:f2f8:a994::32ca]:443. Received 1 certificate(s), first
certificate had names
"d0a523b0300eb48035b680c5132880b0.e74f2b5ce0f3595d184567d06f633244.acme.invalid,
dummy"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.