Certbot renew --dry-run failed with authentication failure [SOLVED]


#1

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

certbot renew --dry-run

It produced this output:

certbot renew --dry-run


Processing /etc/letsencrypt/renewal/*****.conf

2017-03-09 05:01:04,167:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/.conf produced an unexpected error: Failed authorization procedure. ****** (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested xxx.xxx.acme.invalid from 45.32.5.224:443. Received 2 certificate(s), first certificate had names "*". Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/******/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: *****
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    xxx.acme.invalid
    from 45.32.5.224:443. Received 2 certificate(s), first certificate
    had names “******”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

My operating system is (include version):

Ubuntu 16.10

My web server is (include version):

n/a (running a custom express-based node.js server)

My hosting provider, if applicable, is:

n/a

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No


#2

Are you running the certbot renew --dry-run command on the same server as the one where your existing certificate is installed, or on a different server?

Is your express-based node.js server itself listening directly on port 443, or do you have a reverse proxy or similar?

Can you post the contents of the file /etc/letsencrypt/renewal/*****.conf please?


#3

Thanks for the reply.

The command is running on the same server. The node server listens on port 443 directly. I do not have a reverse proxy.

# renew_before_expiry = 30 days
version = 0.8.1
cert = /etc/letsencrypt/live/schedule.greenwood.space/cert.pem
privkey = /etc/letsencrypt/live/schedule.greenwood.space/privkey.pem
chain = /etc/letsencrypt/live/schedule.greenwood.space/chain.pem
fullchain = /etc/letsencrypt/live/schedule.greenwood.space/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = ****
webroot_path = /home/greenwood/greenwood-scheduler,
[[webroot_map]]

I did some more sleuthing, and it looks like the back and forth dies when the eff site is unable to directly connect to the IP address, port 443 to the standalone server. I would be fine with enabling dns verification, but there is quite literally no documentation on how to do that other than “it will tell you if you try.” Well, I tried, and it just said it wouldn’t do it, no further information.

I’m now 9 days from expiry on the site. Should I give up on renewal and just generate a new one? Will it even let me?


#4

Hi,

I may have found the issue. I have had 443 redirect to a user port to avoid having to run my express server as root (to get access to 443). I’m going to try disabling that redirect and then re-run.


#5

Yep that fixed it! closing this.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.