Cannot renew certifiate


#1

My web server is using network address translation and I am getting an error when trying to renew.

It appears that the local address does not match the DNS entry.

How do I renew this cert?


#2

Can you provide a few more details ?

If it’s for an “internal” domain, you could potentially use the DNS challenge

using http / https it should be fine as long as the DNS is set to the correct IP and it;s routed ( through NAT ) to your server


#3

Correct zName not found for TLS SNI challenge. <-- this is the error.

It looks like the IP address of the server and the DNS IP are not the same causing the Correct zName not found for TLS SNI challenge. error?

How do I get around this?


#4

is https correctly forwarded ?

Why are the IP address if the DNS and server different ? as long as the DNS IP routes https traffic to your server IP then you should be OK.

What’s the domain name ?


#5

My server is on the AWS cloud. AWS assigns a local IP and NATS the public one.

The domain is

65shelbycobra.com


#6

Your current certificate has expired.

I’m guessing that an invalid cert ( including expired) probably gives the same error of “Correct zName not found”. You could try a temporary self signed cert.


#7

Yes, expired, that is why I am trying to renew it :stuck_out_tongue_winking_eye:


#8

Failed authorization procedure. 65shelbycobra.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘65shelbycobra.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: 65shelbycobra.com
    Type: unauthorized
    Detail: Correct zName not found for TLS SNI challenge. Found
    65shelbycobra.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.


#9

What web server are you using? How are you running the client (flags and configuration)?


#10

Apache

/home/ubuntu/Downloads/letsencrypt/letsencrypt-auto -vv --apache --renew-by-default --email hackerace@gmail.com --agree-tos -d 65shelbycobra.com


#11

Could you provide your VHost configuration? That’s usually located in /etc/apache2/sites-enabled/.


#12
# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

SSLCertificateFile /etc/letsencrypt/live/65shelbycobra.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/65shelbycobra.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/65shelbycobra.com/chain.pem


#13

Missing the top two lines above


#14

IfModule mod_ssl.c
VirtualHost *:443


#15

If I read that correctly, that VHost doesn’t set ServerName anywhere. This might interfere with the temporary VHost Let’s Encrypt adds for tls-sni-01. Could you try setting ServerName 65shelbycobra.com and see if renewal works after that? (Note: If you’re using other subdomains too, make sure to add appropriate ServerAlias directives.)


#16

Set ServerName 65ShelbyCobra.com in sites-enabled and got the same

Failed authorization procedure. 65shelbycobra.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘65shelbycobra.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: 65shelbycobra.com
    Type: unauthorized
    Detail: Correct zName not found for TLS SNI challenge. Found
    65shelbycobra.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.


#17

If there are no other VHosts that are interfering, I’m not sure what’s causing this.

Let’s Encrypt also supports http-01 challenges, which are a bit less finicky.
You can try the following:

./letsencrypt-auto --authenticator webroot --installer apache -w /var/www/html -d 65shelbycobra.com -d subdomain1.65shelbycobra.com -d subdomain2.65shelbycobra.com

Where /var/www/html is the DocumentRoot of your apache.


#18

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: 65shelbycobra.com
    Type: unauthorized
    Detail: Invalid response from http://65shelbycobra.com/.well-known
    /acme-challenge/CC4ipdeQyRdpKofP7F7D1Dk13c-hyuPEFyQ20Sn11u0
    [54.69.159.101]: 404

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: subdomain2.65shelbycobra.com
    Type: connection
    Detail: DNS problem: NXDOMAIN looking up A for
    subdomain2.65shelbycobra.com

    Domain: subdomain1.65shelbycobra.com
    Type: connection
    Detail: DNS problem: NXDOMAIN looking up A for
    subdomain1.65shelbycobra.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#19

Ran the command without the subdomains and got this output

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: 65shelbycobra.com
    Type: unauthorized
    Detail: Invalid response from http://65shelbycobra.com/.well-known
    /acme-challenge/uGy9mdfrWWe-OD4epPdWxa-dPdV7VPWcDwVW6_SBUN8
    [54.69.159.101]: 404

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.


#20

Try running the following command:

mkdir /var/www/html/.well-known ; mkdir /var/www/html/.well-known/acme-challenge ; echo "12345" > /var/www/html/.well-known/acme-challenge/test

Then request http://65shelbycobra.com/.well-known/acme-challenge/test in your browser and see if it returns 12345. If that doesn’t work, I suspect some rewrite rules (maybe in /var/www/html/.htaccess) might be interfering with the request.