Cert renewal failure, but DNS appears to be fine


#1

My domain is:
grantwu.me

I ran this command, and it produced this output:

root@vultr:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/grantwu.me.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for grantwu.me
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (grantwu.me) from /etc/letsencrypt/renewal/grantwu.me.conf produced an unexpected error: Failed authorization procedure. grantwu.me (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested c123404c40b971f7c9f73cb2862f0b9b.255b068ad6624c3d0e76644234d8660f.acme.invalid from 45.77.148.48:443. Received 2 certificate(s), first certificate had names "grantwu.me". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/grantwu.me/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/grantwu.me/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: grantwu.me
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   c123404c40b971f7c9f73cb2862f0b9b.255b068ad6624c3d0e76644234d8660f.acme.invalid
   from 45.77.148.48:443. Received 2 certificate(s), first certificate
   had names "grantwu.me"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

root@vultr:~# nginx -v
nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):

root@vultr:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.3 LTS
Release:	16.04
Codename:	xenial

My hosting provider, if applicable, is: Vultr, but I don’t think it’s applicable

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Files in /etc/nginx/sites-enabled/ are:
https://grantwu.me/default.txt
https://grantwu.me/weechat.txt

Here’s my /etc/letsencrypt/options-ssl-nginx.conf
https://grantwu.me/options-ssl-nginx.conf.txt

I’m running certbot 0.19.0, for what it’s worth.


#2

Hmm, I think you might be running into a bug in certbot’s nginx plugin - perhaps this one? The second server block with the same server_name on a different port might be confusing it.

I wonder if changing the order of the config files would help, as a workaround? eg by renaming weechat to a_weechat or something like that?

Or you could switch to using --webroot, I guess.


#3

If I’m reading this correctly, if choose_vhost returns anything, that address alone is used; and there’s nothing I can see restricting choose_vhost to the tls-sni-01 port. I might be reading it wrong though as my python is rusty…


#4

Holy shit! It worked by renaming it to a_weechat! Thanks a ton!

Is the second server block with the same server_name an error on my end? I’m an nginx noob.


#5

I think it’s a bug in certbot rather than an error on your part. I’m not sure of the exact nature of the bug (if indeed it is a bug) but I suggested a theory above; and I think that the fact that renaming the file fixed the problem for you, seems to support the theory that certbot’s nginx plugin is picking the wrong vhost to complete the challenge.

In general I believe it should be fine to have two server blocks with the same server_name as long as they are on different ports; I’m also an nginx noob but I know this would be perfectly fine with apache so I see no reason it should be different with nginx.


#6

Right.

I don’t know what’s happening in this case, though. :confused:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.