Can't renew my certificates - Incorrect validation certificate for tls-sni-01 challenge

Hello everyone,
I have been using the Let’s Encrypt certificates for the past 3 months but I’m having trouble renewing the old certificates.
The certificates are all working perfectly fine but Certbot gives me error messages when trying to renew.
I am using Apache as a webserver but I am configuring through Froxlor.
When I’m trying to renew using ‘certbot renew --apache’, I’m getting the following error message:

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mydomain.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.acme.invalid
    from xxx.xxx.xxx.xx:443. Received 2 certificate(s), first
    certificate had names “aseconddomain.de, mail.aseconddomain.de,
    www.aseconddomain.de

I replaced my IP and the digits vefore ‘.acme.invalid’ with x’s.
My domain.com is the domain I’m trying to obtain new certificates for and aseconddomain.de is a second domain of me.
For aseconddomain.de I have one certificate containing also www.aseconddomain.de and mail.aseconddomain.de.
How do I just renew the certificates as they are? I don’t want one certificate with all my 10 domains in it, I want one certificate for every single domain, just as it is now.

Btw: I have been searching a lot and found, that mydomain.com/.well-known/acme-challenge/ has to be accessible.
The .well-known folder isn’t present in the root directories of my domain but when I create them and issue a random file in it, I can access it from the browser. I’m absolutely clueless right now because I have no idea what’s not working.

Thanks in advance for useful tips.

Regards,

Unfortunately, it’s very difficult to debug this without the real domain. :frowning:

Does a plain certbot renew without the --apache fare any better? I’m not sure of the effect of specifying a plugin like --apache to renew. Certbot typically figures out the plugin you used before. It’s possible you’re overriding the previous successful method you used with one that isn’t working.

Did you add a CDN or reverse proxy, such as CloudFlare, since the last time you renewed? This is typically the cause of tls-sni-01 issues, but given your output this seems unlikely.

Otherwise, we’d probably need to see your debug log from /var/log/letsencrypt in order to figure out where things are going south.

Hello,
thanks for the reply.
I tried to do it without --apache, no difference.
I also don’t use a CDN or reverse proxy.
I did a SSL Check with ssllabs.com, all good.
I will copy the debug log and paste it here…

Greeting,

Found the solution:
Since Froxlor doesn’t support more than one Domain per IP Adress, I had to improvise.
There is an input field called ‘own vhost configs’ in Froxlor. I put my own vhost configs in there and it all worked fine.
But certbot issues an error when mutliple vhosts are in one config file. That’s what has thrown the error.
Seems to be a certbot issue and would be nice to bugfix this.

Regards,

Ugh, it’s very disappointing that your control panel still limits one domain per IP address in 2017. :cry:

Unfortunately IIRC certbot doesn’t support multiple virtual hosts in one file at this time. I think it’s on their radar to fix but you probably don’t want to wait for your certificate to expire.

You could not use the automatic Apache installer and instead issue your certificates using webroot authentication, e.g.

sudo certbot certonly --webroot -w /var/www/html -d example.com,www.example.com,mail.example.com

If you already have working certificates installed from certbot, this will replace your existing certificates as long as your careful to group your domains the same way as before and specify them in the same order.

If you add new certificates this way you would need to manually specify the location of the certificate/private key in /etc/letsencrypt/live in your virtual hosts.

1 Like

Thanks for your answer, I will try that!
What I did for now is, to create a second virtual Host File for each domain with the needed SSL configuration stuff in it. This file is being deleted after the next restart but it lasts for the cert update. Not very nice but it works. I’ll take a look at your solution for the future renewals.

Best regards,

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.