Can't renew Certificate

BleedObsidian · February 18, 2016, 6:49pm

Hello,

I am trying to renew one of my SSL Certificates.

However the client fails and gives the following output:

[Development-Server] [root] [/home/bleedobsidian/letsencrypt]: letsencrypt-auto certonly -d www.nebla.co.uk -d client.nebla.co.uk -d nebla.co.uk
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly -d www.nebla.co.uk -d client.nebla.co.uk -d nebla.co.uk
Failed authorization procedure. client.nebla.co.uk (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found '.registrar-servers.com, registrar-servers.com', www.nebla.co.uk (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found '.registrar-servers.com, registrar-servers.com', nebla.co.uk (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found '*.registrar-servers.com, registrar-servers.com'

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: client.nebla.co.uk
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
'*.registrar-servers.com, registrar-servers.com'

Domain: www.nebla.co.uk
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
'*.registrar-servers.com, registrar-servers.com'

Domain: nebla.co.uk
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
'*.registrar-servers.com, registrar-servers.com'

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

The website is hosted with another hosting company (Which is why the output is on about '*.registrar-servers.com, registrar-servers.com').

What am I doing wrong? I assume the client is failing to challenge the domain because the certificates don't match up, but how can I fix this? The A records for the domain go to the IP address 37.61.237.49 which is the holder of these different SSL certificates. But how can I get the ACME client to allow the certificate to be renewed.

I've had a good look around for other topics on the forum however most of them are for people running a local web server. Creating a self-signed certificate would not solve anything here.

Thank you for any help.

schoen · February 18, 2016, 8:02pm

Hi @BleedObsidian, are you running the client on the actual server that the DNS record points at? (I was confused when you said “hosted with another hosting company” and “the IP address … which is the holder of these different SSL certificates” and “for people running a local web server”. That makes it sound like you’re running on a different machine from the actual web server that the DNS record refers to.

The default behavior of the client is totally oriented toward running the client on the same machine that the name refers to. In the future it will be possible to use a variant of webroot with a remote server (but that’s not possible yet); it’s currently possible to use manual this way; and you can use third-party clients with the DNS challenge type (where you prove control of the name by changing DNS records).

BleedObsidian · February 18, 2016, 8:05pm

@schoen

Ah that would explain why I’m finding it hard to find any documentation about this.

I am indeed running the let’s encrypt client on another machine (My virtual CentOS server). The website (www.nebla.co.uk) is hosted with a Web Hosting company. I issued the certificate using certonly and then installed the certificate onto the website with cPanel.

The DNS A records of nebla.co.uk point towards the IP Address 37.61.237.49 (Which is the Web Hosting Company). I’m running the Let’s Encrypt Client on a completely separate machine.

So how would I go about proving control of the domain via DNS records?

Thank you for your reply.

schoen · February 18, 2016, 8:08pm

Well, how did you do it the first time when it worked? Did you originally have the DNS records pointing at your CentOS server?

BleedObsidian · February 18, 2016, 8:11pm

I did not, I used an ACME challenge and placed the file under “/.well-known/acme-challenge” on the website.

schoen · February 18, 2016, 8:14pm

You can get it the same way again (that sounds like manual to me), or try the DNS method.

The only client I’m aware of that supports the DNS challenge is letsencrypt.sh

BleedObsidian · February 18, 2016, 8:23pm

Thank you, I didn’t realise I could use the acme-challenge again. I just wasn’t sure how renewing worked.

Thanks for your help