I was able to get a cert for my blog.mydomain.com which is working fine in Apache2 on Debian stretch/sid.
I then added two additional CNAMES to my dns (blog itself is a CNAME of sa-001, which is the A record), verified the changes had propagated, then tried getting additional certs for these virtual hosts.
I got a warning asking if I wanted to expand the existing cert. I was unsure, so I cancelled. I read the manpage, and tried again with this commandline:
I get this error:
Failed authorization procedure. www.mydomain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested dac2894f913df59e76b15ae76495b634.2023233a42af0f969b11c5f80fb26956.acme.invalid from 102.219.201.40:443. Received certificate containing ‘blog.mydomain.com’
Actually, it can reach port 443, but apparently something isn't right with the temporary tls-sni-01 certificate install in Apache for the authentication. Usually, this is because some sort of proxy is in between the Apache certbot is trying to use and the actual connection end-point (not the Apache certbot is using..)
Another issue could be that domain X is pointing to IP Y as where Apache is only listening on IP Z, not Y.
blog.symbiaudix.com is the active site, which is working. dev. and www. are the ones that fail when attempting to add them to the cert. Perhaps you can see if you can connect to blog. I can without any problem.
I’m guessing something got confused/partially done when I cancelled the first attempt to read more about it, but that’s just a guess. What’s the best way to jiggle the handle?
It probably has something to do with your Apache configuration. The way the tls-sni-01 challenge works, is by generating a temporary configuration file for Apache with a special <VirtualHost> section. If your Apache somehow doesn’t use this temporary file, for example, it doesn’t work properly with SNI or something, it fails.
You can run your certbot client with the -vvv option so you’d get a lot of debugging information. Somewhere in this pile of info, you’ll see something like this:
Performing the following challenges:
tls-sni-01 challenge for dev.symbiaudix.com
tls-sni-01 challenge for www.symbiaudix.com
Adding Include /etc/apache2/vhosts.d/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/httpd.conf
writing a config file with text:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName 93dfe4cba4c26721f0fd5020475a5e9e.f2b6431cdf1d78e21c129a1f2eae60ab.acme.invalid
UseCanonicalName on
SSLStrictSNIVHostCheck on
LimitRequestBody 1048576
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /var/lib/letsencrypt/MXABej7ih3byF2Uyb5xaP1_vhoto0CXdUjeVGvxiPCc.crt
SSLCertificateKeyFile /var/lib/letsencrypt/MXABej7ih3byF2Uyb5xaP1_vhoto0CXdUjeVGvxiPCc.pem
DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/
</VirtualHost>
<VirtualHost *:443>
ServerName f68d5d9410abecab87dba792f431bfc4.768e7d67c788a81dcc4c154183d267d0.acme.invalid
UseCanonicalName on
SSLStrictSNIVHostCheck on
LimitRequestBody 1048576
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /var/lib/letsencrypt/Z8Bbdcuh1r36xaK1mAhPg69xpBg1OcUv0j24TnJSGdM.crt
SSLCertificateKeyFile /var/lib/letsencrypt/Z8Bbdcuh1r36xaK1mAhPg69xpBg1OcUv0j24TnJSGdM.pem
DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/
</VirtualHost>
</IfModule>
Creating backup of /etc/apache2/httpd.conf
Waiting for verification...
You could check if the include is handled properly, i.e., it’s the right httpd.conf your Apache is using et cetera.