Certbot: getting one cert worked, adding more fails


I was able to get a cert for my blog.mydomain.com which is working fine in Apache2 on Debian stretch/sid.

I then added two additional CNAMES to my dns (blog itself is a CNAME of sa-001, which is the A record), verified the changes had propagated, then tried getting additional certs for these virtual hosts.

I got a warning asking if I wanted to expand the existing cert. I was unsure, so I cancelled. I read the manpage, and tried again with this commandline:

certbot --expand --apache --redirect --hsts -d blog.mydomain.com,dev.mydomain.com,www.mydomain.com

I get this error:
Failed authorization procedure. www.mydomain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested dac2894f913df59e76b15ae76495b634.2023233a42af0f969b11c5f80fb26956.acme.invalid from Received certificate containing ‘blog.mydomain.com

What to do?

names/ips sanitized.


I could be mistaken, but I believe you have to give each domain a “-d” flag, you can’t use commas.

That is, I’d try something like:
certbot --expand --apache --redirect --hsts -d blog.mydomain.com -d dev.mydomain.com -d www.mydomain.com

Again, my information may be wrong or out of date, but I think the commas only worked in your cli.ini configuration file.

Hope that helps!


tried it with -d on all first - same issue


wondering if I must revoke first?


You don’t need to revoke, no.

The error is that it can’t reach port 443 on www.mydomain.com
Without your domain name though, I can’t check to see if I can reach it.


Actually, it can reach port 443, but apparently something isn’t right with the temporary tls-sni-01 certificate install in Apache for the authentication. Usually, this is because some sort of proxy is in between the Apache certbot is trying to use and the actual connection end-point (not the Apache certbot is using…)
Another issue could be that domain X is pointing to IP Y as where Apache is only listening on IP Z, not Y.


Thanks all for helping.

blog.symbiaudix.com is the active site, which is working. dev. and www. are the ones that fail when attempting to add them to the cert. Perhaps you can see if you can connect to blog. I can without any problem.

I’m guessing something got confused/partially done when I cancelled the first attempt to read more about it, but that’s just a guess. What’s the best way to jiggle the handle?


It probably has something to do with your Apache configuration. The way the tls-sni-01 challenge works, is by generating a temporary configuration file for Apache with a special <VirtualHost> section. If your Apache somehow doesn’t use this temporary file, for example, it doesn’t work properly with SNI or something, it fails.

You can run your certbot client with the -vvv option so you’d get a lot of debugging information. Somewhere in this pile of info, you’ll see something like this:

Performing the following challenges:
tls-sni-01 challenge for dev.symbiaudix.com
tls-sni-01 challenge for www.symbiaudix.com
Adding Include /etc/apache2/vhosts.d/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/httpd.conf
writing a config file with text:
 <IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName 93dfe4cba4c26721f0fd5020475a5e9e.f2b6431cdf1d78e21c129a1f2eae60ab.acme.invalid
    UseCanonicalName on
    SSLStrictSNIVHostCheck on

    LimitRequestBody 1048576

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /var/lib/letsencrypt/MXABej7ih3byF2Uyb5xaP1_vhoto0CXdUjeVGvxiPCc.crt
    SSLCertificateKeyFile /var/lib/letsencrypt/MXABej7ih3byF2Uyb5xaP1_vhoto0CXdUjeVGvxiPCc.pem

    DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/

<VirtualHost *:443>
    ServerName f68d5d9410abecab87dba792f431bfc4.768e7d67c788a81dcc4c154183d267d0.acme.invalid
    UseCanonicalName on
    SSLStrictSNIVHostCheck on

    LimitRequestBody 1048576

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /var/lib/letsencrypt/Z8Bbdcuh1r36xaK1mAhPg69xpBg1OcUv0j24TnJSGdM.crt
    SSLCertificateKeyFile /var/lib/letsencrypt/Z8Bbdcuh1r36xaK1mAhPg69xpBg1OcUv0j24TnJSGdM.pem

    DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/


Creating backup of /etc/apache2/httpd.conf
Waiting for verification...

You could check if the include is handled properly, i.e., it’s the right httpd.conf your Apache is using et cetera.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.