Can't renew Certificate


#1

Hello,

I am trying to renew one of my SSL Certificates.

However the client fails and gives the following output:

[Development-Server] [root] [/home/bleedobsidian/letsencrypt]: letsencrypt-auto certonly -d www.nebla.co.uk -d client.nebla.co.uk -d nebla.co.uk
Updating letsencrypt and virtual environment dependencies…
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly -d www.nebla.co.uk -d client.nebla.co.uk -d nebla.co.uk
Failed authorization procedure. client.nebla.co.uk (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘.registrar-servers.com, registrar-servers.com’, www.nebla.co.uk (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found '.registrar-servers.com, registrar-servers.com’, nebla.co.uk (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘*.registrar-servers.com, registrar-servers.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: client.nebla.co.uk
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
’*.registrar-servers.com, registrar-servers.com

Domain: www.nebla.co.uk
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
’*.registrar-servers.com, registrar-servers.com

Domain: nebla.co.uk
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
’*.registrar-servers.com, registrar-servers.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

The website is hosted with another hosting company (Which is why the output is on about ‘*.registrar-servers.com, registrar-servers.com’).

What am I doing wrong? I assume the client is failing to challenge the domain because the certificates don’t match up, but how can I fix this? The A records for the domain go to the IP address 37.61.237.49 which is the holder of these different SSL certificates. But how can I get the ACME client to allow the certificate to be renewed.

I’ve had a good look around for other topics on the forum however most of them are for people running a local web server. Creating a self-signed certificate would not solve anything here.

Thank you for any help.


#2

Hi @BleedObsidian, are you running the client on the actual server that the DNS record points at? (I was confused when you said “hosted with another hosting company” and “the IP address … which is the holder of these different SSL certificates” and “for people running a local web server”. That makes it sound like you’re running on a different machine from the actual web server that the DNS record refers to.

The default behavior of the client is totally oriented toward running the client on the same machine that the name refers to. In the future it will be possible to use a variant of webroot with a remote server (but that’s not possible yet); it’s currently possible to use manual this way; and you can use third-party clients with the DNS challenge type (where you prove control of the name by changing DNS records).


#3

@schoen

Ah that would explain why I’m finding it hard to find any documentation about this.

I am indeed running the let’s encrypt client on another machine (My virtual CentOS server). The website (www.nebla.co.uk) is hosted with a Web Hosting company. I issued the certificate using certonly and then installed the certificate onto the website with cPanel.

The DNS A records of nebla.co.uk point towards the IP Address 37.61.237.49 (Which is the Web Hosting Company). I’m running the Let’s Encrypt Client on a completely separate machine.

So how would I go about proving control of the domain via DNS records?

Thank you for your reply.


#4

Well, how did you do it the first time when it worked? Did you originally have the DNS records pointing at your CentOS server?


#5

I did not, I used an ACME challenge and placed the file under “/.well-known/acme-challenge” on the website.


#6

You can get it the same way again (that sounds like manual to me), or try the DNS method.

The only client I’m aware of that supports the DNS challenge is letsencrypt.sh


#7

Thank you, I didn’t realise I could use the acme-challenge again. I just wasn’t sure how renewing worked.

Thanks for your help