Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for fulton.geek.nz
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. fulton.geek.nz (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 36478a67d933bcd8893d9d02f58e8e83.36e3785c115aa2756dbd2396aca13887.acme.invalid from 114.23.222.208:443. Received 1 certificate(s), first certificate had names “fulton.geek.nz”
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: fulton.geek.nz
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
36478a67d933bcd8893d9d02f58e8e83.36e3785c115aa2756dbd2396aca13887.acme.invalid
from 114.23.222.208:443. Received 1 certificate(s), first
certificate had names “fulton.geek.nz”
I have reviewed the contents of the log file but I can’t figure out what might be wrong.
For the record the server is behind a NATting firewall and the connection is being forwarded to the sever.
When you say the connection is being forwarded to the server, is something performing TLS termination? The way the tls-sni-01 challenge works is by setting up a fake certificate on an invalid SNI name to present to Let’s Encrypt. If something is terminating TLS before it gets to your server, it will not be aware of this fake certificate and just present the default.
Usually the best way around this is to use -i apache -a webroot so that you’re presenting a webroot (http-01) challenge, but using the apache plugin to actually install the certificate.
The firewall is just passing the traffic. No SSL termination. I wondered how it actually worked, what is actually happening (I am pretty sure) is that Letsencrypt is getting back the default ‘snakeoil’ cert. I know this because I replaced it with one with a different name and the name in the error message changed. I notice that certbot was starting apache even if it was shutdown.
I tried stopping apache on the box and running certbot with standalone which stopped it doing anything with apache and this worked. For some reason the snakeil cert was being served rather that the the specially crafted one LetsEncrypt expected. Before trying this I also tried --apache certonly but had the same problem.