Cannot Create Certificate for 1 Domain


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kingdomorganicseeds.com

I ran this command: certbot-auto --apache

It produced this output:

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 5 6
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for kingdomorganicseeds.com
tls-sni-01 challenge for www.kingdomorganicseeds.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.kingdomorganicseeds.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested ca33dc6aef1f2e2172ae6e04fc0e2267.0b5430db61ff93336776d2c888124057.acme.invalid from 198.71.56.71:443. Received 2 certificate(s), first certificate had names " (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested d650d69e6b06edfe792f1f210e387801.f2d55813daeaec48e619262995df1537.acme.invalid from 198.71.56.71:443. Received 2 certificate(s), first certificate had names
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.kingdomorganicseeds.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    ca33dc6aef1f2e2172ae6e04fc0e2267.0b5430db61ff93336776d2c888124057.acme.invalid
    from 198.71.56.71:443. Received 2 certificate(s), first certificate
    had names

    Domain: kingdomorganicseeds.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    d650d69e6b06edfe792f1f210e387801.f2d55813daeaec48e619262995df1537.acme.invalid
    from 198.71.56.71:443. Received 2 certificate(s), first certificate
    had names
    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):

Apach 2.2.15

The operating system my web server runs on is (include version):

CentOS 6.9

My hosting provider, if applicable, is:

1and1 VPS

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes I can login to root

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Im Using Webmin/Virtualmin to manage basic processes but didn’t realize they had a built in letsencrypt until after I used certbot. Now it forces me to use certbot.

My Log File Looks Like:

HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1885
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: NJQ9Owi8Em4hvvcZJm3zqFd-59-V7gvyJ34mCUv2KRs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 12 Mar 2018 20:20:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 12 Mar 2018 20:20:33 GMT
Connection: keep-alive

b’{\n “identifier”: {\n “type”: “dns”,\n “value”: “www.kingdomorganicseeds.com”\n },\n “status”: “invalid”,\n “expires”: “2018-03-19T20:20:23Z”,\n “challenges”: [\n {\n “type”: “dns-01”,\n “status”: “pending”,\n $
2018-03-12 20:20:32,161:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.kingdomorganicseeds.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested ca33dc6aef1f2e2172ae6e04fc0e2267.0b5430db61ff93336776d2c888124057.acme.invalid from 198.71.56.71:443. Received 2 certificate(s), first certificate had names "s$

Domain: kingdomorganicseeds.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested d650d69e6b06edfe792f1f210e387801.f2d55813daeaec48e619262995df1537.acme.invalid from 198.71.56.71:443. Received 2 certificate(s), first certificate had names "s$

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2018-03-12 20:20:32,161:INFO:certbot.auth_handler:Cleaning up challenges
2018-03-12 20:20:32,616:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
load_entry_point(‘letsencrypt==0.7.0’, ‘console_scripts’, ‘letsencrypt’)()
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 1031, in run
certname, lineage)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 118, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py”, line 350, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py”, line 294, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py”, line 330, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(resp, best_effort)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py”, line 157, in _respond
self._poll_challenges(chall_update, best_effort)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py”, line 220, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.kingdomorganicseeds.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 chall$

I am using root to do this. All 7 of my other domains on this server was successfully used by certbot to create it’s new certificates. The first time trying to do these domains I hadn’t updated the DNS records. But I have since done this and check with DNS Stuff and other DNS webtools to ensure everyone has the right ip address and settings.

Creating a file in the .well-known/acme-challenge/ folder I can view the text file but the file certbot is supposed to be creating and inserting into this folder is not being created.


#2

Hi @dansperfect,

In this case, Certbot is not creating a file in /.well-known/acme-challenge; it’s using an older alternative method called TLS-SNI-01 (which involves creating a temporary self-signed certificate instead). TLS-SNI-01 is no longer available for new certificates, but it’s still available for renewals. What’s failing here is the TLS-SNI-01 validation method.

The availability of this method for renewals is meant to be a convenience to existing users so they don’t have to change their validation methods, but it looks like for some reason it’s not working for you, and so it’s ended up acting as more of a nuisance for you.

The situation is described further in

If you want to change this particular certificate to behave like the other ones (proving control by creating a file in /.well-known/acme-challenge), you can either reissue the certificate with -a webroot -i apache, or you can be sure that you’ve upgraded to Certbot 0.21 or later and then reissue the certificate with --apache --preferred-challenges http. In both cases, the creating-a-flie method, called HTTP-01, will be used (although there are differences between my two suggestions in terms of exactly how and where the file gets created).


#3

Thank you so much. This was beginning to hurt by brain.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.