Certbot renew: Failed authorization procedure

TomB · May 8, 2017, 2:56pm

Please fill out the fields below so we can help you better.

I ran this command: sudo certbot renew -vvvv

It produced this output:

...
2017-05-08 14:07:54,362:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: 
Prep: True
...
2017-05-08 14:08:19,235:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: deichspiel.spdns.de
Type:   unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested 5c81589bca36d1bee2d7dae9e2208735.93cbb9c844d4a20b03f367a6562ef5fe.acme.invalid from 79.246.12.212:443. Received 2 certificate(s), first certificate had names "deichspiel.spdns.de"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
...

In /var/log/apache2/error.log:

AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
[Mon May 08 16:08:12.588751 2017] [ssl:warn] [pid 6651] AH01906: 5c81589bca36d1bee2d7dae9e2208735.93cbb9c844d4a20b03f367a6562ef5fe.acme.invalid:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

My operating system is (include version):debian 8.8

My web server is (include version): apache 2.4.10-10+deb8u8

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

How can I solve the problem?
Many Thanks!

schoen · May 8, 2017, 6:02pm

Hi @TomB,

Do you have multiple virtual hosts defined in a single configuration file in /etc/apache2/sites-available?

TomB · May 9, 2017, 9:21am

Hi schoen,

because of redirect http->https I defined the following virtual hosts:

000-redirect.conf:

ServerName deichspiel.spdns.de

  ServerSignature Off
  RewriteEngine On
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

and 001-ssl.conf:

...

Now I changed the configuration:

ServerName deichspiel.spdns.de

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
DocumentRoot /var/www/html
... (ssl, logging, ...)

Now I get this error message:
Attempting to renew cert from /etc/letsencrypt/renewal/deichspiel.spdns.de.conf produced an unexpected error: Failed authorization procedure. deichspiel.spdns.de (tls-sni-01): urn:acme:error:malformed :: The request message was malformed :: Failed to connect to 79.246.12.212:443 for tls-sni-01 challenge: Server only speaks HTTP, not TLS. Skipping.

Again I changed the conf:

ServerName deichspiel.spdns.de

...

The result is:
Attempting to renew cert from /etc/letsencrypt/renewal/deichspiel.spdns.de.conf produced an unexpected error: Failed authorization procedure. deichspiel.spdns.de (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested cca2111de520f90193f0235bf12ec8c4.77468acb6090a92af4c16b5bc28d8e85.acme.invalid from 79.246.12.212:443. Received 2 certificate(s), first certificate had names “deichspiel.spdns.de”. Skipping.

What shall I do?

schoen · May 9, 2017, 3:54pm

Could you post your log from /var/log/letsencrypt?

TomB · May 9, 2017, 9:16pm

Hi,
as new user in this forum I can not upload the log. Therefore:

2017-05-09 21:10:34,162:DEBUG:certbot.main:Root logging level set at -20
2017-05-09 21:10:34,169:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-05-09 21:10:34,176:DEBUG:certbot.main:certbot version: 0.10.2
2017-05-09 21:10:34,177:DEBUG:certbot.main:Arguments: ['-vvvv']
2017-05-09 21:10:34,183:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-05-09 21:10:34,249:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2017-05-09 21:10:34,285:DEBUG:parsedatetime:CRE_UNITS matched
2017-05-09 21:10:34,291:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2017-05-09 21:10:34,293:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2017-05-09 21:10:34,295:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2017-05-09 21:10:34,297:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2017, tm_mon=5, tm_mday=9, tm_hour=21, tm_min=10, tm_sec=34, tm_wday=1, tm_yday=129, tm_isdst=0))
2017-05-09 21:10:34,300:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2017-05-09 21:10:34,302:DEBUG:parsedatetime:units days --> realunit days
2017-05-09 21:10:34,304:DEBUG:parsedatetime:return
2017-05-09 21:10:34,306:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-05-08 23:42:00 UTC.
2017-05-09 21:10:34,308:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2017-05-09 21:10:34,515:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2017-05-09 21:10:40,733:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: 
Prep: True
2017-05-09 21:10:40,755:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: 
Prep: True
2017-05-09 21:10:40,758:DEBUG:certbot.plugins.selection:Selected authenticator  and installer 
2017-05-09 21:10:42,781:DEBUG:certbot.main:Picked account: 
2017-05-09 21:10:42,795:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-05-09 21:10:42,816:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-05-09 21:10:43,226:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 352
2017-05-09 21:10:43,233:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: boGHVL2JficFtqE6SFLjAS0dSX0IJczYImLtty2YUsQ
Replay-Nonce: 3dsPO2rrOMhGPG-GI95Y9zHOA_GUe4E64TVpjJbHUpc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 09 May 2017 21:10:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 09 May 2017 21:10:43 GMT
Connection: keep-alive

{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-05-09 21:10:43,237:INFO:certbot.main:Renewing an existing certificate
2017-05-09 21:10:43,241:DEBUG:root:Requesting fresh nonce
2017-05-09 21:10:43,243:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-05-09 21:10:43,456:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2017-05-09 21:10:43,464:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: TPZRmq_vGNJeO5U-e2650Xt4t2b8paw38innjaNlSGU
Replay-Nonce: UafgSHHt2GJsMceugQUXkyXUA8IF0Xhndkx-VnrUhfM
Expires: Tue, 09 May 2017 21:10:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 09 May 2017 21:10:43 GMT
Connection: keep-alive


2017-05-09 21:10:43,468:DEBUG:acme.client:Storing nonce: UafgSHHt2GJsMceugQUXkyXUA8IF0Xhndkx-VnrUhfM
2017-05-09 21:10:43,480:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "deichspiel.spdns.de"
  }, 
  "resource": "new-authz"
}
2017-05-09 21:10:43,591:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "01nz8OHKInr0r8CxruG1Juwl2Jncu1-BuzwvAOP5pWczJluvv91OUry3gxBhe88VPLTRe_OZl7NeyFB56AuX9veK9341DSRohZExQmJB1LeQMhLpcgOtex26K4Dx4hxKQLR0Mk2n3w0_-VgVHl4HF-Lc7wjTb7wN0RVeKIpYbqlJbHnkNQ53WQmkFrIbqYxvkpq0qEVuWBR1l5uY09VXdCW5LXUYbTIfnH1dlz1oDLfqQTHqdyhm13OSYoGNY-sImO0sTBsWV1l0cVNKAHZDPZ2ADXEE3OPVAiA5q3MGpKqDwwPjVD1CKYw_blfwBbDGQZh5lU9Fr8cNkru2ijXNcw"
    }
  }, 
  "protected": "eyJub25jZSI6ICJVYWZnU0hIdDJHSnNNY2V1Z1FVWGt5WFVBOElGMFhobmRreC1WbnJVaGZNIn0", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZGVpY2hzcGllbC5zcGRucy5kZSIKICB9LCAKICAicmVzb3VyY2UiOiAibmV3LWF1dGh6Igp9", 
  "signature": "d5OFY1u9cW93P9cOismvlZnDPSYs3FqA0UWcM0zvj1xGLxpITlUgRU7lYshojacyaWAw8n6DSIXHmZra67Cfwx8M3No5Hk6FLIiq_l23T-mIskWy3ETZpSALRF4eldIbAlAkvSYIbNkep8cYjO_msk6wu6H0s6no2NDcBoyxSqni9lJ0CpOx-QlDio8dAdw2IDErJo1SCZ6ff6TMhNRxSOSKW1-ZOw45_gmER0Q0dXk5QmWTVqcz78LBis4WfJm-nyBYnoDi4zegSChno29F7aVg4dvvZFH5nyUFSOGHqXLN0Y7RkGBlOn2LUj-m3dmZ3VSxZegTFUfXMI2Bc0kH4w"
}
2017-05-09 21:10:43,840:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1007
2017-05-09 21:10:43,850:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1007
Boulder-Request-Id: DkZGRmX_AZCRoTUNFkTRK1MSVg87mkDzIpj7RnSkKeI
Boulder-Requester: 9312764
Link: ;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc
Replay-Nonce: DUrk5LIZbTZb5QoIHVe-ScozUT6xmaTE32bfZQTSuXY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 09 May 2017 21:10:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 09 May 2017 21:10:43 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "deichspiel.spdns.de"
  },
  "status": "pending",
  "expires": "2017-05-16T21:10:43.719662435Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc/1149885938",
      "token": "gApzWfJWDVyA7UoILBhQE6Bnh4V6jaqja-YaBhbaQaw"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc/1149885940",
      "token": "NW7uUbKosteeMRRwnhiSsKAB_lgoi_IeTF3xk3uqVTk"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc/1149885942",
      "token": "aMwr7WhY4CR-GxCk4QV_iBaWHE08nqcQl7KsjAYGFeI"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      0
    ],
    [
      1
    ]
  ]
}
2017-05-09 21:10:43,854:DEBUG:acme.client:Storing nonce: DUrk5LIZbTZb5QoIHVe-ScozUT6xmaTE32bfZQTSuXY
2017-05-09 21:10:43,864:INFO:certbot.auth_handler:Performing the following challenges:
2017-05-09 21:10:43,867:INFO:certbot.auth_handler:tls-sni-01 challenge for deichspiel.spdns.de
2017-05-09 21:10:52,349:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2017-05-09 21:10:52,353:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:
 

    ServerName c0b5cb8f5e24209bc382ca7d3258a763.3167574323b220c466a83d0fb59f4766.acme.invalid
    UseCanonicalName on
    SSLStrictSNIVHostCheck on

    LimitRequestBody 1048576

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /var/lib/letsencrypt/NW7uUbKosteeMRRwnhiSsKAB_lgoi_IeTF3xk3uqVTk.crt
    SSLCertificateKeyFile /var/lib/letsencrypt/NW7uUbKosteeMRRwnhiSsKAB_lgoi_IeTF3xk3uqVTk.pem

    DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/




2017-05-09 21:10:52,488:DEBUG:certbot.reverter:Creating backup of /etc/apache2/apache2.conf
2017-05-09 21:10:57,054:INFO:certbot.auth_handler:Waiting for verification...
2017-05-09 21:10:57,058:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "NW7uUbKosteeMRRwnhiSsKAB_lgoi_IeTF3xk3uqVTk.LLFygypIhwlKpcm51QiH4lYmkNJbwkaLa28z3q4B7sM", 
  "type": "tls-sni-01", 
  "resource": "challenge"
}
2017-05-09 21:10:57,170:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc/1149885940:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "01nz8OHKInr0r8CxruG1Juwl2Jncu1-BuzwvAOP5pWczJluvv91OUry3gxBhe88VPLTRe_OZl7NeyFB56AuX9veK9341DSRohZExQmJB1LeQMhLpcgOtex26K4Dx4hxKQLR0Mk2n3w0_-VgVHl4HF-Lc7wjTb7wN0RVeKIpYbqlJbHnkNQ53WQmkFrIbqYxvkpq0qEVuWBR1l5uY09VXdCW5LXUYbTIfnH1dlz1oDLfqQTHqdyhm13OSYoGNY-sImO0sTBsWV1l0cVNKAHZDPZ2ADXEE3OPVAiA5q3MGpKqDwwPjVD1CKYw_blfwBbDGQZh5lU9Fr8cNkru2ijXNcw"
    }
  }, 
  "protected": "eyJub25jZSI6ICJEVXJrNUxJWmJUWmI1UW9JSFZlLVNjb3pVVDZ4bWFURTMyYmZaUVRTdVhZIn0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIk5XN3VVYktvc3RlZU1SUnduaGlTc0tBQl9sZ29pX0llVEYzeGszdXFWVGsuTExGeWd5cElod2xLcGNtNTFRaUg0bFlta05KYndrYUxhMjh6M3E0QjdzTSIsIAogICJ0eXBlIjogInRscy1zbmktMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "bRyT0cuTlP0mqbFUB818b9um_jqpiBD6mZaNKGHO6_DEzCrMDjhllSn1ZwV0QEqw3k5GAh2Emyrgew1elPIm8XNZBpNQyaFQH6v731_Oc-chg-6CB_3Itvf7O8k7L4ZynmVElFizKICpZ7VrM5aRLDjprf94WoqQEFLXUtJJ0wFvt_0d9Err293OnbLhNPfsQT3OhUivWxZFmV_Wx_nMS46jtGCGSo_Jf68jrbtwzluxrB3X4g39TR1CTqHssHyFH7LICJnYKOk-TMUsAzLiNbDl34j4pAKg-em-CelJmbthornVgjZNEChdIsCIBSMQbRU2QPsg1k9H0UkiZiyZyg"
}
2017-05-09 21:10:57,410:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc/1149885940 HTTP/1.1" 202 339
2017-05-09 21:10:57,419:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 339
Boulder-Request-Id: e9QOUZmf9b4Rnzvv3XG4dm-FBad0nxb7EQqZ60ckSUs
Boulder-Requester: 9312764
Link: ;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc/1149885940
Replay-Nonce: 9CfdqOAdujYw5VxoU_rgROKqVX_Q8JCVnbA03bNU4IY
Expires: Tue, 09 May 2017 21:10:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 09 May 2017 21:10:57 GMT
Connection: keep-alive

{
  "type": "tls-sni-01",
  "status": "pending",
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc/1149885940",
  "token": "NW7uUbKosteeMRRwnhiSsKAB_lgoi_IeTF3xk3uqVTk",
  "keyAuthorization": "NW7uUbKosteeMRRwnhiSsKAB_lgoi_IeTF3xk3uqVTk.LLFygypIhwlKpcm51QiH4lYmkNJbwkaLa28z3q4B7sM"
}
2017-05-09 21:10:57,423:DEBUG:acme.client:Storing nonce: 9CfdqOAdujYw5VxoU_rgROKqVX_Q8JCVnbA03bNU4IY
2017-05-09 21:11:00,432:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc.
2017-05-09 21:11:00,649:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc HTTP/1.1" 200 1776
2017-05-09 21:11:00,659:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1776
Boulder-Request-Id: aGje3Kyb9lmm_vCElkG_OBpxoPxYd_BXKYBNHOSRCvA
Link: ;rel="next"
Replay-Nonce: lfQM6igoTx_cj1bKKvnKoIV-W-Os53zDeS0GQStV9bw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 09 May 2017 21:11:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 09 May 2017 21:11:00 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "deichspiel.spdns.de"
  },
  "status": "invalid",
  "expires": "2017-05-16T21:10:43Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc/1149885938",
      "token": "gApzWfJWDVyA7UoILBhQE6Bnh4V6jaqja-YaBhbaQaw"
    },
    {
      "type": "tls-sni-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "Incorrect validation certificate for tls-sni-01 challenge. Requested c0b5cb8f5e24209bc382ca7d3258a763.3167574323b220c466a83d0fb59f4766.acme.invalid from 79.246.26.100:443. Received 2 certificate(s), first certificate had names \"deichspiel.spdns.de\"",
        "status": 403
      },
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc/1149885940",
      "token": "NW7uUbKosteeMRRwnhiSsKAB_lgoi_IeTF3xk3uqVTk",
      "keyAuthorization": "NW7uUbKosteeMRRwnhiSsKAB_lgoi_IeTF3xk3uqVTk.LLFygypIhwlKpcm51QiH4lYmkNJbwkaLa28z3q4B7sM",
      "validationRecord": [
        {
          "hostname": "deichspiel.spdns.de",
          "port": "443",
          "addressesResolved": [
            "79.246.26.100",
            "2003:89:ce7f:c141:3a10:d5ff:fe32:853d"
          ],
          "addressUsed": "79.246.26.100"
        }
      ]
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/wtTgQMHgGiHbCt2QQ3nR31Tu7mOvQtpGAjhWlcnOCmc/1149885942",
      "token": "aMwr7WhY4CR-GxCk4QV_iBaWHE08nqcQl7KsjAYGFeI"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      0
    ],
    [
      1
    ]
  ]
}
2017-05-09 21:11:00,673:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: deichspiel.spdns.de
Type:   unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested c0b5cb8f5e24209bc382ca7d3258a763.3167574323b220c466a83d0fb59f4766.acme.invalid from 79.246.26.100:443. Received 2 certificate(s), first certificate had names "deichspiel.spdns.de"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-05-09 21:11:00,679:INFO:certbot.auth_handler:Cleaning up challenges
2017-05-09 21:11:03,236:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/deichspiel.spdns.de.conf produced an unexpected error: Failed authorization procedure. deichspiel.spdns.de (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested c0b5cb8f5e24209bc382ca7d3258a763.3167574323b220c466a83d0fb59f4766.acme.invalid from 79.246.26.100:443. Received 2 certificate(s), first certificate had names "deichspiel.spdns.de". Skipping.
2017-05-09 21:11:03,249:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 413, in handle_renewal_request
    main.obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 103, in _auth_from_available
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 296, in renew_cert
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. deichspiel.spdns.de (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested c0b5cb8f5e24209bc382ca7d3258a763.3167574323b220c466a83d0fb59f4766.acme.invalid from 79.246.26.100:443. Received 2 certificate(s), first certificate had names "deichspiel.spdns.de"

2017-05-09 21:11:03,253:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in 
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 655, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

TomB · May 18, 2017, 6:14am

I have no more idea. Can anybody help?

system · June 17, 2017, 6:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot - TLS-SNI Apache Challenge Doesn't Pass - Alternatives Help	14	2929	June 29, 2017
From TLS-SNI-01 to HTTP-01: 403 (Forbidden) - solved Help	4	1830	March 1, 2019
Certbot renew command fails Help	14	4507	September 21, 2017
Issues Setting up LetsEncrypt with Cryptbot for Apache Help	3	1427	January 31, 2017
Certbot run - Incorrect validation certificate for tls-sni-01 challenge Server	8	23094	July 12, 2017

Certbot renew: Failed authorization procedure

Related topics