Another "Failed authorization procedure"

Help
1

My domain is: perchpatrol.com

I ran this command: /usr/bin/certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/perchpatrol.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for perchpatrol.com
tls-sni-01 challenge for test.perchpatrol.com
tls-sni-01 challenge for www.perchpatrol.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (perchpatrol.com) from /etc/letsencrypt/renewal/perchpatrol.com.conf produced an unexpected error: Failed authorization procedure. perchpatrol.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 90c567358c51582ed3ca5093e465e1a0.9c298c343b0407944d3b6510f065373f.acme.invalid from 66.163.129.157:443. Received 1 certificate(s), first certificate had names “perchpatrol.com, test.perchpatrol.com, www.perchpatrol.com”, test.perchpatrol.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 1778bb6d7b167a6bd251fd78f99f1f76.2c378b3b7c84b30a0b05d9a2a6ad8716.acme.invalid from 66.163.129.157:443. Received 1 certificate(s), first certificate had names “perchpatrol.com, test.perchpatrol.com, www.perchpatrol.com”, www.perchpatrol.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 3c1f204585654a29d0e8170d96635ffd.7c18c0af908afc7b6780520d049b8527.acme.invalid from 66.163.129.157:443. Received 1 certificate(s), first certificate had names “perchpatrol.com, test.perchpatrol.com, www.perchpatrol.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/perchpatrol.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/perchpatrol.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: perchpatrol.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    90c567358c51582ed3ca5093e465e1a0.9c298c343b0407944d3b6510f065373f.acme.invalid
    from 66.163.129.157:443. Received 1 certificate(s), first
    certificate had names “perchpatrol.com, test.perchpatrol.com,
    www.perchpatrol.com

    Domain: test.perchpatrol.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    1778bb6d7b167a6bd251fd78f99f1f76.2c378b3b7c84b30a0b05d9a2a6ad8716.acme.invalid
    from 66.163.129.157:443. Received 1 certificate(s), first
    certificate had names “perchpatrol.com, test.perchpatrol.com,
    www.perchpatrol.com

    Domain: www.perchpatrol.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    3c1f204585654a29d0e8170d96635ffd.7c18c0af908afc7b6780520d049b8527.acme.invalid
    from 66.163.129.157:443. Received 1 certificate(s), first
    certificate had names “perchpatrol.com, test.perchpatrol.com,
    www.perchpatrol.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): CentOS Linux release 7.5.1804 (Core)

My hosting provider, if applicable, is: Myself

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Webserver has always been behind a NAT firewall. This is, I believe, the first time a renewal process has been attempted.

I have googled for this, and have found a few posts indicating that the TLS-SNI process is being done away with, but should still be valid for renewals. BTW, certbot 0.26.1.

Currently have 26 days to renew.

2

Hi @alexmoen

the best solution: Ignore the tls-sni-validation, start new. Use the

preferred-challenges=http - option:

https://certbot.eff.org/docs/using.html#certbot-commands

Something like

Certbot --apache preferred-challenges=http -d yourdomains

Or (if there is already a webserver): Use the webroot-option.

3

Thanks for that, it worked with a little syntax fixing - command should be:
certbot --apache --preferred-challenges=http -d yourdomains
Put it here for future reference, and for others.

When I perform a force-renewal command (because I want to ensure renewal will work later), it still uses tls-sni-01, but now it works. I guess I'll wait for another 60 days, when it attempts automated renewal again. I have another 50+ sites that will update before that, so we'll see how widespread this issue is, or if it's simply this one web server that had a problem.

Thanks again for the quick reply!

Alex

1 Like
4

Haha, had scrolled right, so -- was missing :wink:

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.