Certbot fails for subdomain - TLS-SNI-01 challenge receives wrong certificate

I have three security certificates for my website, one of them is for backend.ultimaterehabestimator.com and I am having trouble renewing it, here is my error message:

Failed authorization procedure. backend.ultimaterehabestimator.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested ae9a991ae61e815e2630db3baccbc2f9.93c0afcde5d1141e6b5d5223553efcaf.acme.invalid from 50.63.166.163:443. Received 2 certificate(s), first certificate had names “www.ultimaterehabestimator.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: backend.ultimaterehabestimator.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    ae9a991ae61e815e2630db3baccbc2f9.93c0afcde5d1141e6b5d5223553efcaf.acme.invalid
    from 50.63.166.163:443. Received 2 certificate(s), first
    certificate had names “www.ultimaterehabestimator.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

I’m also confused about how my certificates are working, it appears that some of them cover multiple domains:

Here’s what I get when I do certbot certificates

Found the following certs:
Certificate Name: ultimaterehabestimator.com
Domains: ultimaterehabestimator.com,backend.ultimaterehabestimator.com,www.ultimaterehabestimator.com
Expiry Date: 2018-02-07 14:30:59+00:00 (VALID: 53 days)
Certificate Path: /etc/letsencrypt/live/ultimaterehabestimator.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ultimaterehabestimator.com/privkey.pem
Certificate Name: ultimaterehabestimator.com-0001
Domains: ultimaterehabestimator.com
Expiry Date: 2018-03-04 14:48:27+00:00 (VALID: 78 days)
Certificate Path: /etc/letsencrypt/live/ultimaterehabestimator.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ultimaterehabestimator.com-0001/privkey.pem
Certificate Name: www.ultimaterehabestimator.com
Domains: www.ultimaterehabestimator.com
Expiry Date: 2018-03-04 14:48:49+00:00 (VALID: 78 days)
Certificate Path: /etc/letsencrypt/live/www.ultimaterehabestimator.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.ultimaterehabestimator.com/privkey.pem
Certificate Name: backend.ultimaterehabestimator.com
Domains: backend.ultimaterehabestimator.com
Expiry Date: 2018-01-09 21:06:04+00:00 (VALID: 25 days)
Certificate Path: /etc/letsencrypt/live/backend.ultimaterehabestimator.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/backend.ultimaterehabestimator.com/privkey.pem

If you request multiple domains in a single run of certbot, you’ll get them all on a single certificate; if you run certbot once per domain you’ll get a separate cert for each. I guess you must have done a mix of both, because you now have four certificates; one of them is valid for all three domains, while the other three are only valid for one domain each. They overlap, so if you wanted you could configure nginx (I’m assuming it’s nginx based on your server headers) to use the combined cert for all three domains, and delete the other three certs. Or you could point it at the individual certs for each domain and delete the combined one.

That being said, I don’t know why it would fail to renew. Perhaps it’s a bug in the --nginx plugin. What version of certbot are you using?

I’m using 0.17, I don’t see a straightforward way to update, I don’t understand if my domain (backend.ultimaterehabestimator.com) will expire in four days because that’s the day the last certificate expires or whether the first certificate will cover the domain.

Certificates exist separately from each other.

There are 3 currently valid certificates for that name:

https://crt.sh/?Identity=backend.ultimaterehabestimator.com&exclude=expired

Two of them expire January 9. One of them expires February 7.

You should ensure that your software is configured to use the newest one. Or use one of the other ones but ensure that renewing works (and renew it immediately).

How do I ensure the software uses the newest one? How do I delete the ones that aren’t renewing?

Your web server configuration determines which certificate file is in use. You can use certbot delete to remove other certificates.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.