My web server is using network address translation and I am getting an error when trying to renew.
It appears that the local address does not match the DNS entry.
How do I renew this cert?
My web server is using network address translation and I am getting an error when trying to renew.
It appears that the local address does not match the DNS entry.
How do I renew this cert?
Can you provide a few more details ?
If it’s for an “internal” domain, you could potentially use the DNS challenge
using http / https it should be fine as long as the DNS is set to the correct IP and it;s routed ( through NAT ) to your server
Correct zName not found for TLS SNI challenge. <-- this is the error.
It looks like the IP address of the server and the DNS IP are not the same causing the Correct zName not found for TLS SNI challenge. error?
How do I get around this?
is https correctly forwarded ?
Why are the IP address if the DNS and server different ? as long as the DNS IP routes https traffic to your server IP then you should be OK.
What’s the domain name ?
My server is on the AWS cloud. AWS assigns a local IP and NATS the public one.
The domain is
Your current certificate has expired.
I’m guessing that an invalid cert ( including expired) probably gives the same error of “Correct zName not found”. You could try a temporary self signed cert.
Yes, expired, that is why I am trying to renew it
Failed authorization procedure. 65shelbycobra.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘65shelbycobra.com’
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: 65shelbycobra.com
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
’65shelbycobra.com’
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
What web server are you using? How are you running the client (flags and configuration)?
Apache
/home/ubuntu/Downloads/letsencrypt/letsencrypt-auto -vv --apache --renew-by-default --email hackerace@gmail.com --agree-tos -d 65shelbycobra.com
Could you provide your VHost configuration? That’s usually located in /etc/apache2/sites-enabled/
.
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/65shelbycobra.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/65shelbycobra.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/65shelbycobra.com/chain.pem
Missing the top two lines above
IfModule mod_ssl.c
VirtualHost *:443
If I read that correctly, that VHost doesn’t set ServerName
anywhere. This might interfere with the temporary VHost Let’s Encrypt adds for tls-sni-01
. Could you try setting ServerName 65shelbycobra.com
and see if renewal works after that? (Note: If you’re using other subdomains too, make sure to add appropriate ServerAlias
directives.)
Set ServerName 65ShelbyCobra.com in sites-enabled and got the same
Failed authorization procedure. 65shelbycobra.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘65shelbycobra.com’
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: 65shelbycobra.com
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
’65shelbycobra.com’
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
If there are no other VHosts that are interfering, I’m not sure what’s causing this.
Let’s Encrypt also supports http-01
challenges, which are a bit less finicky.
You can try the following:
./letsencrypt-auto --authenticator webroot --installer apache -w /var/www/html -d 65shelbycobra.com -d subdomain1.65shelbycobra.com -d subdomain2.65shelbycobra.com
Where /var/www/html
is the DocumentRoot of your apache.
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: 65shelbycobra.com
Type: unauthorized
Detail: Invalid response from http://65shelbycobra.com/.well-known
/acme-challenge/CC4ipdeQyRdpKofP7F7D1Dk13c-hyuPEFyQ20Sn11u0
[54.69.159.101]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
The following errors were reported by the server:
Domain: subdomain2.65shelbycobra.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for
subdomain2.65shelbycobra.com
Domain: subdomain1.65shelbycobra.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for
subdomain1.65shelbycobra.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Ran the command without the subdomains and got this output
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: 65shelbycobra.com
Type: unauthorized
Detail: Invalid response from http://65shelbycobra.com/.well-known
/acme-challenge/uGy9mdfrWWe-OD4epPdWxa-dPdV7VPWcDwVW6_SBUN8
[54.69.159.101]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
Try running the following command:
mkdir /var/www/html/.well-known ; mkdir /var/www/html/.well-known/acme-challenge ; echo "12345" > /var/www/html/.well-known/acme-challenge/test
Then request http://65shelbycobra.com/.well-known/acme-challenge/test in your browser and see if it returns 12345
. If that doesn’t work, I suspect some rewrite rules (maybe in /var/www/html/.htaccess
) might be interfering with the request.