Cannot renew certs on Nginx


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is (-> there is a handful):
mail.dalsgaard-data.dk
blog.dalsgaard-data.dk
dalsgaard-data.dk
dalsgaard-data.eu
www.dalsgaard-data.eu
inotes.dalsgaard-data.dk
www.dalsgaard-data.dk
traveler.dalsgaard-data.dk
fangst.dalsgaard-data.dk
mobile.dalsgaard-data.dk
wc.dalsgaard-data.dk
test.dalsgaard-data.dk

I ran this command:
certbot renew
I have set up a cron job as well - but to keep things simple I logged in as root and tried to run the command manually

It produced this output:
For each domain something similar to this:


Processing /etc/letsencrypt/renewal/wc.dalsgaard-data.dk.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for wc.dalsgaard-data.dk
nginx: [warn] “ssl_stapling” ignored, issuer certificate not found for certificate “/var/lib/letsencrypt/J-qM95yrAA-B9nttyktwxTbxfC3Pxmk2e85VDcsrSyI.crt”
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (wc.dalsgaard-data.dk) from /etc/letsencrypt/renewal/wc.dalsgaard-data.dk.conf produced an unexpected error: Failed authorization procedure. wc.dalsgaard-data.dk (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested e395249512cab3384fc9aba5a0d05725.cdf05aa98367a3488d1a318f2f5aa65d.acme.invalid from 80.162.92.162:443. Received 2 certificate(s), first certificate had names “blog.dalsgaard-data.dk”. Skipping.

And then concludes with this resume:


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.dalsgaard-data.dk/fullchain.pem (failure)
/etc/letsencrypt/live/blog.dalsgaard-data.dk/fullchain.pem (failure)
/etc/letsencrypt/live/dalsgaard-data.dk/fullchain.pem (failure)
/etc/letsencrypt/live/dalsgaard-data.eu/fullchain.pem (failure)
/etc/letsencrypt/live/www.dalsgaard-data.eu/fullchain.pem (failure)
/etc/letsencrypt/live/inotes.dalsgaard-data.dk/fullchain.pem (failure)
/etc/letsencrypt/live/www.dalsgaard-data.dk/fullchain.pem (failure)
/etc/letsencrypt/live/traveler.dalsgaard-data.dk/fullchain.pem (failure)
/etc/letsencrypt/live/fangst.dalsgaard-data.dk/fullchain.pem (failure)
/etc/letsencrypt/live/mobile.dalsgaard-data.dk/fullchain.pem (failure)
/etc/letsencrypt/live/wc.dalsgaard-data.dk/fullchain.pem (failure)
/etc/letsencrypt/live/test.dalsgaard-data.dk/fullchain.pem (failure)

12 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: blog.dalsgaard-data.dk
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    7de418c09703b324696d3222f8b1e335.23b489c717873338b7262b1def3948c2.acme.invalid
    from 80.162.92.162:443. Received 2 certificate(s), first
    certificate had names “blog.dalsgaard-data.dk”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: dalsgaard-data.dk
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    8b265fb3a5b34ac235ff8e7455a623a6.11417616a610e921814c06e0e274cc22.acme.invalid
    from 80.162.92.162:443. Received 2 certificate(s), first
    certificate had names “blog.dalsgaard-data.dk”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: dalsgaard-data.eu
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    1df083657988ed5a6d3469651016c41b.7ceae8ddddd65fa16e816eccf378bf98.acme.invalid
    from 80.162.92.162:443. Received 2 certificate(s), first
    certificate had names “blog.dalsgaard-data.dk”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: fangst.dalsgaard-data.dk
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    272f28316c30a1e79aef1c65cf745c2f.e89f16a03611d22318630088ed76490c.acme.invalid
    from 80.162.92.162:443. Received 2 certificate(s), first
    certificate had names “blog.dalsgaard-data.dk”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: inotes.dalsgaard-data.dk
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    15686ad4bb2490f423e9714556e25d57.1099c7ba8758571fac314520837c6398.acme.invalid
    from 80.162.92.162:443. Received 2 certificate(s), first
    certificate had names “blog.dalsgaard-data.dk”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: mail.dalsgaard-data.dk
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    581000eebcd6390f0aae1bd2914375ab.885e35c3dc41bd57e86d55aa2e552bda.acme.invalid
    from 80.162.92.162:443. Received 2 certificate(s), first
    certificate had names “blog.dalsgaard-data.dk”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: mobile.dalsgaard-data.dk
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    74b3ba19717ff70bd49a1c876aabbd74.eb8c827691fd543d8b1ac938d091359a.acme.invalid
    from 80.162.92.162:443. Received 2 certificate(s), first
    certificate had names “blog.dalsgaard-data.dk”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: test.dalsgaard-data.dk
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    ea355f9fc8c2e82498dbac7ee008c57e.9f49674ed8c1a3ecb56195099d76495e.acme.invalid
    from 80.162.92.162:443. Received 2 certificate(s), first
    certificate had names “blog.dalsgaard-data.dk”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: traveler.dalsgaard-data.dk
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    059603e8394aa0468815647c710c73a9.cf726a14db67c2921e14adbbdc476664.acme.invalid
    from 80.162.92.162:443. Received 2 certificate(s), first
    certificate had names “blog.dalsgaard-data.dk”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: wc.dalsgaard-data.dk
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    e395249512cab3384fc9aba5a0d05725.cdf05aa98367a3488d1a318f2f5aa65d.acme.invalid
    from 80.162.92.162:443. Received 2 certificate(s), first
    certificate had names “blog.dalsgaard-data.dk”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: www.dalsgaard-data.dk
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    d7b699b9ecaea44270dd406f66e05ce1.a386f079ab490a62aab3f140d69f8015.acme.invalid
    from 80.162.92.162:443. Received 2 certificate(s), first
    certificate had names “blog.dalsgaard-data.dk”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: www.dalsgaard-data.eu
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    62a7542e07e74c0fc70120834022f374.36f88a62c4a71b8f88c5d3daf2622655.acme.invalid
    from 80.162.92.162:443. Received 2 certificate(s), first
    certificate had names “blog.dalsgaard-data.dk”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
Nginx 1.14.0
The server is set up as a proxy in front of the websites (that reside on various other servers). I use the proxy to “lift off” the SSL.

The operating system my web server runs on is (include version):
CentOS Linux 7.5.1804

My hosting provider, if applicable, is:
… own servers

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Further notes:
I am using certbot version 0.24.0.
The renewal worked last time (3 months ago).
I have disabled SSL for webmin on the proxy-server and disabled a the generic website in Nginx (*.dalsgaard-data.dk).


#2

Try

certbot renew --preferred-challenges http --dry-run

#3

Dear AZ

You were right!

That did the trick - although I am not entirely sure why?

I first ran the dry-run - and that gave no errors so then I updated my cron job and ran it :wink:

Thank you for your help!

/John


#4

You can read through here for the (very long) story of TLS-SNI: IMPORTANT: What you need to know about TLS-SNI validation issues

As for why it stopped renewing for you, it’s not clear, but if you made any changes with how you terminate SSL, it’s possible that it affected Certbot’s ability to perform the validation

Using --preferred-challenges http switches Certbot to HTTP validation, which works a bit better and is the default these days.


#5

Great - thanks!

Should I set Using --preferred-challenges http as a default somewhere in the configuration files instead of appending it to the renew command? I have put it in my cron job so it is not a big deal, but as you mention it is the default these days I guess there might be a config. option :wink:


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.