Cerbot-Auto Renewing Not Working on Apache Due to VHOST Configs


#1

Hi Guys,

I have serveral vhosts setup on my server and can no longer renew my certificates.

The command i use is:

certbot-auto renew

The error I get is (for any expired site on my server):

   Domain: subdomain.example.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
   Requested
   a884504975f0418fd32e307be081963a.0ceb829771d5211f1384cf49522c1d3e.acme.invalid
   from 0.0.0.0.0:443. Received 2 certificate(s), first certificate
   had names "example.com, www.example.com'

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

I have substituted my host with example.com and my ip with 0.0.0.0

I think the cert validation check is failing because it’s requesting the certificate via the IP address and not hostname?

Thanks in advance for you help!


#2

Do you have multiple vhosts defined within the same configuration file? This confuses Certbot, but it doesn’t display a useful error message in this situation.


#3

Hi,

Thanks for your response. Yes, I do but I haven’t had a problem with that on other servers I have.

Does the error point towards a different certificate being served when requesting via IP address?

Thanks


#4

The error is actually from the CA, complaining that the challenge it posed to you hasn’t been satisfied correctly, even when the client (Certbot) claimed it had.

The error indicates that the Certbot apache plugin failed to successfully reconfigure the web server’s Apache config files in order to pass the challenge from the CA (yet, unfortunately, thought it had succeeded). There are various reasons that you could fail to reconfigure Apache, but the most common one is multiple vhosts defined in a single configuration file; the current version of the parser doesn’t understand this correctly, but often fails to give a useful error about its confusion.

I’m not sure why so many people manage to get their certificates correctly under these conditions but fail to renew them, but @bmw said it could be due to slightly different behavior in different versions of Certbot over time. There might also be another explanation that we haven’t found yet that makes renewal more sensitive to this problem somehow.


#5

Ok thanks, I will try putting v hosts in individual files.
Why would certbot need to modify the file to reconfigure them? Location of cert?

Thanks again


#6

The Apache plugin works by configuring your server to serve a temporary self-signed certificate containing information requested by the CA, in order to prove that you really control the site. In order to do that, it has to modify your Apache configuration.


#7

It worked, thanks!

Purely out of interest, what modifications does it make to v host file?


#8

@rob1,

They are those made by this code:


#9

Thank you, i will research this further.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.