Certbot run - Incorrect validation certificate for tls-sni-01 challenge

I have tried to add a new domain to my server (Debian VPS), the authentification said it failed, but I have a working certificate that works when configured in Apache manually.
I ran Certbot run initially and then have run certbot renew --dry-run to test.

Attempting to renew cert from /etc/letsencrypt/renewal/www.preopmadesimple.com.conf produced an unexpected error: Failed authorization procedure. www.preopmadesimple.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested a27ab1e6961312aa824a0a45ab361b5c.583edf775d3952b6f0fdb292c207901d.acme.invalid from 130.255.76.83:443. Received 2 certificate(s), first certificate had names “legendshockeycamps.co.uk, www.legendshockeycamps.co.uk.co.uk”,preopmadesimple.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 7d68f3edf53e247305edd3b6ec9c97ac.1adbed780d3e52bcb28f789a7cf0f424.acme.invalid from 130.255.76.83:443. Received 2 certificate(s), first certificate had names “legendshockeycamps.co.uk, www.legendshockeycamps.co.uk”. Skipping.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.preopmadesimple.com
  Type: unauthorized
  Detail: Incorrect validation certificate for tls-sni-01 challenge.
  Requested
  a27ab1e6961312aa824a0a45ab361b5c.583edf775d3952b6f0fdb292c207901d.acme.invalid
  from 130.255.76.83:443. Received 2 certificate(s), first
  certificate had names “legendshockeycamps.co.uk,
  www.legendshockeycamps.co.uk”

  Domain: preopmadesimple.com
  Type: unauthorized
  Detail: Incorrect validation certificate for tls-sni-01 challenge.
  Requested
  7d68f3edf53e247305edd3b6ec9c97ac.1adbed780d3e52bcb28f789a7cf0f424.acme.invalid
  from 130.255.76.83:443. Received 2 certificate(s), first
  certificate had names “legendshockeycamps.co.uk.co.uk,
  www.legendshockeycamps.co.uk”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address.

I would like to continue with auto certbot as it is very useful!

This is most likely an IPv4/IPv6 issue.
But without the domain name there is now way to be sure.

My best guess is…

Try resolving your domain with global DNS system.
If they return IPv6 addresses, then you must either:

1. ensure IPv6 is supported on your system
   or
2. remove the IPv6 IP form DNS.

I have a post about the most common reasons for this problem at

@rg305, even though IPv6 issues have been quite an epidemic recently, I don’t think they’re likely to blame here because the resolved IP address was 130.255.76.83—a working IPv4 address.

@rg305 , @schoen
The domains are preopmadesimple.com and legendshockeycamps.com (with www equivalents).

Preopmadesimple.com was set up first, I was trying to add the other. But now, when I try to add domains it says first certificate had names legendshockeycamps.co.uk …

The DNS is all okay I am mostly sure.

legendshockeycamps.com: Non-existent domain
www.legendshockeycamps.com: Non-existent domain

Can you elaborate on [quote="danclayton, post:5, topic:35821"]
But now, when I try to add domains it says first certificate had names legendshockeycamps.co.uk ...
[/quote]

Both sites (preopmadesimple.com & legendshockeycamps.co.uk) are up and appear to be serving their own certificates correctly.

@rg305

Many apologies, I meant legendshockeycamps.co.uk

The certificates are functioning currently, however, the error trace above shows the result of: certbot renew --dry-run

Not sure why but the request on that IP using SNI returns the correct cert:
subject=/CN=www.preopmadesimple.com
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

However, without SNI it does return the cert shown in the error message above:
subject=/CN=www.legendshockeycamps.co.uk
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

So, it would seem that the TLS-SNI challenge is failing to correctly request the SNI.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.