Cerbot renewal failure

tkalfigo · November 20, 2017, 1:10pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hiconv.com

I ran this command: certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/docs.hiconv.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/admin.hiconv.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/hiconv.com.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for hiconv.com
nginx: [warn] conflicting server name “hiconv.com” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “hiconv.com” on 0.0.0.0:443, ignored
Waiting for verification…
Cleaning up challenges
nginx: [warn] conflicting server name “hiconv.com” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “hiconv.com” on 0.0.0.0:443, ignored
Attempting to renew cert (hiconv.com) from /etc/letsencrypt/renewal/hiconv.com.conf produced an unexpected error: Failed authorization procedure. hiconv.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 9860c77fc499d68357f14c6a72770bd6.c82c209c5b0012f63f3c3209ced0a9e6.acme.invalid from 95.85.40.77:443. Received 2 certificate(s), first certificate had names “admin.hiconv.com”. Skipping.

The following certs are not due for renewal yet:
/etc/letsencrypt/live/docs.hiconv.com/fullchain.pem (skipped)
/etc/letsencrypt/live/becausejavascript.com/fullchain.pem (skipped)
/etc/letsencrypt/live/admin.hiconv.com/fullchain.pem (skipped)
/etc/letsencrypt/live/wiki.hiconv.com/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hiconv.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: hiconv.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
9860c77fc499d68357f14c6a72770bd6.c82c209c5b0012f63f3c3209ced0a9e6.acme.invalid
from 95.85.40.77:443. Received 2 certificate(s), first certificate
had names “admin.hiconv.com”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): nginx/1.6.2

The operating system my web server runs on is (include version): Ubuntu 14.04.5 LTS

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

rg305 · November 20, 2017, 2:03pm

Just a couple of things that should be dealt with (even if they are not part of this problem):

"overlapping" server names:

IPv6 assigned address:
Name: hiconv.com
Addresses: 2a03:b0c0:0:1010::91:a001
95.85.40.77
Aliases: admin.hiconv.com

tkalfigo · November 20, 2017, 2:34pm

@rg305

I have 3 CNAMEs: admin.hiconv.com, docs.hiconv.com and www.hiconv.com all aliases for hiconv.com (95.85.40.77) and issued letsencrypt certs for all of them. Is that irregular?

And hiconv.com should respond to both http and https? Is that what you mean by “overlapping” server names?

Br,
Thalis K.

rg305 · November 20, 2017, 2:37pm

Something is creating a "conflict", presumably using the same server name in different vhost blocks.

rg305 · November 20, 2017, 2:40pm

What is irregular is the DNS resolve for the names, which shows IPv4 and IPv6 addresses and may not have been accounted for:
Addresses: 2a03:b0c0:0:1010::91:a001
95.85.40.77

tkalfigo · November 20, 2017, 3:17pm

I added IPv6 addresses today but was already getting the reported renewal errors from certbot before, when I only had IPv4.

rg305 · November 20, 2017, 4:00pm

Although this does show some detail and may explain why this is failing:

Perhaps running with -debug --verbose may show more detail and make this clear:

system · December 20, 2017, 4:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.