Certbot renew command fails

Help
1

Please fill out the fields below so we can help you better.

My domain is: www.actechltda.com.br

I ran this command: certbot renew

It produced this output: Attempting to renew cert from /etc/letsencrypt/renewal/mywebsite.com.conf produced an unexpected error: Failed authorization procedure. mywebsite.com (tls-sni-01) urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested XXXXXXX.acme.invalid from 191.252.109.109:443.

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: Locaweb

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

2

Bom dia @tmybr11,

Is it possible that there was more error output from Certbot following the line that you pasted here? Normally the error urn:acme:error:unauthorized includes more information like “Received 2 certificates” with information about the the certificates that were received in place of the specified one.

Do you know what command you originally used to obtain the certificate that you’re now trying to renew? If so, could you let us know what it was? If not, could you post the contents of /etc/letsencrypt/renewal/www.actechltda.com.br.conf?

3

Hi Schoen!

Well, I also received the following message: “Received 1 certificate(s), first certificate had names “XXXXXXX.acme.invalid, dummy”. To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.”

Apparently, something is misconfigured, but this is the second time I have to renew my certificate. The first time, everything worked just fine. Now it just won’t work. I didn’t make any changes to my VPS since the last time I renewed the certificate. No changes were made to the VirtualHosts or to the server conf.

I don’t remember how I obtained the current certificates (I have two domains pointing to the same IP). I ran grep | history to check on my last commands, and maybe the command I used was certbot --apache. But maybe I’m wrong, so here is my www.actechltda.com.br.conf:

# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/www.actechltda.com.br/cert.pem
privkey = /etc/letsencrypt/live/www.actechltda.com.br/privkey.pem
chain = /etc/letsencrypt/live/www.actechltda.com.br/chain.pem
fullchain = /etc/letsencrypt/live/www.actechltda.com.br/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = dd322a9fa70ad00da911ab30a31fe0e3
4

That’s actually a very unusual failure case.

@cpu, do you think you could confirm that the self-signed certificate returned by the server in this case was an ACME challenge certificate yet not for the correct challenge? And can you confirm whether it would have been the correct response to a previous challenge?

@tmybr11, do you think you could try running the renewal process one more time and then, if it fails for the same reason, posting the log from /var/log/letsencrypt?

5

Sure! I don’t know if you need the entire log, but the character limit only allows me to post a part of it. These are the last lines… if you need more let me know.

Domain: www.actechltda.com.br
Type:   unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested d7677d712463bd7297b33ad6c753e3b4.1911997aab85fa266f92a4ba58486eb9.acme.invalid from 191.252.109.109:443. Received 1 certificate(s), first certificate had names "5c965c454b18b505384e2b8762d7d25a.f484ac2a373df5acf1c8a1a5b6cdb5cc.acme.invalid, dummy"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-08-16 17:51:52,738:INFO:certbot.auth_handler:Cleaning up challenges
2017-08-16 17:51:53,148:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/www.actechltda.com.br.conf produced an unexpected error: Failed authorization procedure. www.actechltda.com.br (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested d7677d712463bd7297b33ad6c753e3b4.1911997aab85fa266f92a4ba58486eb9.acme.invalid from 191.252.109.109:443. Received 1 certificate(s), first certificate had names "5c965c454b18b505384e2b8762d7d25a.f484ac2a373df5acf1c8a1a5b6cdb5cc.acme.invalid, dummy". Skipping.
2017-08-16 17:51:53,168:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 348, in renew_all_lineages
    main.obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 563, in obtain_cert
    action, _ = _auth_from_domains(le_client, config, domains, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 96, in _auth_from_domains
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 238, in renew_cert
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 253, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 78, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 135, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 199, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. www.actechltda.com.br (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested d7677d712463bd7297b33ad6c753e3b4.1911997aab85fa266f92a4ba58486eb9.acme.invalid from 191.252.109.109:443. Received 1 certificate(s), first certificate had names "5c965c454b18b505384e2b8762d7d25a.f484ac2a373df5acf1c8a1a5b6cdb5cc.acme.invalid, dummy"

2017-08-16 17:51:53,169:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.9.3', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 776, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 592, in renew
    renewal.renew_all_lineages(config)
  File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 365, in renew_all_lineages
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

Thank you!

6

That is quite odd! I can confirm that the certificate was an ACME TLS-SNI-01 challenge response certificate but it wasn't the expected challenge response certificate. I believe, like you suspected, the certificate returned was intended to be used as the challenge response for a different identifier's challenge: www.actech-instruments.com.

7

@tmybr11, I think we’ll want to see the whole log. As a new user you might not be allowed to upload it, in which case you can send it to my forum username at eff.org.

@bmw, could you take a look at this too? I don’t think I’ve seen the “challenge verification for one domain returned the acme.invalid certificate for a different domain” phenomenon before.

By the way, what version of Certbot are you using, @tmybr11?

8

Hello Schoen.

Sorry for the delay. I just sent you an email with a copy of my letsencrypt.log to your email. I’m using certbot v0.9.3.

Thank you guys!

9

Yes, it was correct. Thanks! I edited your forum post to remove my e-mail address. The reason that I didn’t state my e-mail address on the forum was in the hope of not getting it added to more spam lists.

10

Sure, sorry for revealing it here!

11

Hello guys, any updates on this issue?

12

Hi @tmybr11,

I’m sorry for being slow to reply on this.

What I notice here is that Certbot is trying to satisfy two TLS-SNI-01 challenges at once (which is appropriate in this case), but it creates two temporary VirtualHosts which look different: one of them says

<VirtualHost 191.252.109.109:443>

while the other one says

<VirtualHost *:443>

The *:443 one somehow seems to take priority and get used for both requests, which results in an invalid response to one of the challenges.

I don’t understand Apache’s rules about VirtualHost routing well enough to understand the exact reason for the failure (and maybe @bmw can help here), but it seems to me that maybe Certbot is basing the first temporary VirtualHost on part of the configuration that you already have and that this is a problem for some reason.

Maybe you could search with

grep -r 191.252.109.109 /etc/apache2

and find cases where existing VirtualHosts were defined by IP address, and, if you don’t have a specific reason that they need to be that way, change them to *:443 instead?

The other thing is that older versions of Certbot had serious problems (which could produce this symptom) if more than one VirtualHost was defined inside the same Apache configuration file, that is, if you didn’t follow the convention of putting each individual VirtualHost definition in its own separate file in /etc/apache2/sites-available. This could often produce results similar to what you’re seeing here, with successful initial issuance of the certificate but a failed renewal with an error similar to this. Do you know if you have any Apache configuration files that combine more than one VirtualHost definition within the same file? I didn’t check whether your Certbot is old enough to have this problem.

1 Like
13

I did take another look at the log and I think your Certbot is old enough to have this problem (also per discussion with @bmw).

Another option to mention is that, if you're willing to go outside of your operating system package manager, you can use certbot-auto, a self-updater for Certbot, which always downloads the latest released version (which you then run as certbot-auto instead of certbot). That version might well not have the same problems with renewal that your older OS-packaged version does.

If you're interested in trying certbot-auto, you can find out about it here:

https://certbot.eff.org/docs/install.html#certbot-auto

14

Thank you for the reply schoen.

I tried using certbot-auto instead of certbot. The same error occured. So then I went to check my VirtualHosts, as you said.

And you were correct, the VirtualHost was defined using IP address instead of *, and that was causing the error. But the one causing the error wasn’t the port 443 VirtualHost, but the port 80 one, which redirects to the HTTPS:

All I did was changing

<VirtualHost 191.252.109.109:80>

To…

<VirtualHost *:80>

And voila.

Thank you very much guys!

1 Like
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.