Cant renew certificate - probably error at initial certificate creation

I assume the problem is that I didn’t know what I did when I set up the certificates. I’m mainy running WordPress on my server. When I installed the certificate, I assumed I had to enter subdomains. Apparently this causes confusion upon renewal.

Assuming theres some clash between certificates, I removed the ceritifcate, using

certbot delete was deleted, but I cant create a new certificate. I enclose what happend just before I messed things up.

My domain is:

I ran this command:
certbot renews

It produced this output:

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for
Waiting for verification…
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 08252ab848ea986bceda578e98f0b6ae.cf4bda6dc8f0b2dec74b68258fdfbbce.acme.invalid from Received 2 certificate(s), first certificate had names “blog.,,,,,”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Certbot tried to modify your apache configuration to create a temporary VirtualHost with a special certificate to respond to the TLS-SNI challenge from Let’s Encrypt, but for some reason it didn’t work and your existing VirtualHost with your normal certificate was returned instead.

Could you please post the output of the following command?

sudo apachectl -S

Thanks for helping! I’m a total newbie here, unfortunately.

~ 2014>sudo apachectl -S
AH00548: NameVirtualHost has no effect and will be removed in the next release    /etc/apache2/ports.conf:4
AH00112: Warning: DocumentRoot [/home/vds/www/] does not exist
VirtualHost configuration:      is a NameVirtualHost
         default server (/etc/apache2/sites-enabled/
         port 443 namevhost (/etc/apache2/sites-enabled/
         port 443 namevhost (/etc/apache2/sites-enabled/
         port 443 namevhost (/etc/apache2/sites-enabled/
         port 443 namevhost (/etc/apache2/sites-enabled/       is a NameVirtualHost
         default server (/etc/apache2/sites-enabled/
         port 80 namevhost (/etc/apache2/sites-enabled/
         port 80 namevhost (/etc/apache2/sites-enabled/
         port 80 namevhost (/etc/apache2/sites-enabled/
         port 80 namevhost (/etc/apache2/sites-enabled/
         port 80 namevhost (/etc/apache2/sites-enabled/
         port 80 namevhost (/etc/apache2/sites-enabled/
         port 80 namevhost (/etc/apache2/sites-enabled/
*:443         (/etc/apache2/sites-enabled/default-ssl.conf:2)
*:*                    ptsd-boken.grendelno (/etc/apache2/sites-enabled/
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ldap-cache: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl 
Mutex mpm-accept: using_defaults
Mutex cache-socache: using_defaults
PidFile: "/var/run/apache2/"
User: name="www-data" id=33
Group: name="www-data" id=33

I suspect that the <VirtualHost *:443> in /etc/apache2/sites-enabled/default-ssl.conf may be the problem. The other VirtualHosts that have an explicit IP address listed take precedence over it; however it may be confusing certbot into trying to use it as a basis for its temporary configuration, over which they would also then take precedence. (I don’t think that should happen in this case… but I don’t have a better explanation)

If you’re not actively using that virtual host, it might be worth a try to disable it (sudo a2dissite default-ssl) and run certbot again.

1 Like

Thanks! This time Certbot did its stuff.

Everything seems to work now.

Thank you so much :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.