Certbot run - Incorrect validation certificate for tls-sni-01 challenge

danclayton · June 9, 2017, 9:56am

I have tried to add a new domain to my server (Debian VPS), the authentification said it failed, but I have a working certificate that works when configured in Apache manually.
I ran Certbot run initially and then have run certbot renew --dry-run to test.

Attempting to renew cert from /etc/letsencrypt/renewal/www.preopmadesimple.com.conf produced an unexpected error: Failed authorization procedure. www.preopmadesimple.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested a27ab1e6961312aa824a0a45ab361b5c.583edf775d3952b6f0fdb292c207901d.acme.invalid from 130.255.76.83:443. Received 2 certificate(s), first certificate had names “legendshockeycamps.co.uk, www.legendshockeycamps.co.uk.co.uk”,preopmadesimple.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 7d68f3edf53e247305edd3b6ec9c97ac.1adbed780d3e52bcb28f789a7cf0f424.acme.invalid from 130.255.76.83:443. Received 2 certificate(s), first certificate had names “legendshockeycamps.co.uk, www.legendshockeycamps.co.uk”. Skipping.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.preopmadesimple.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
a27ab1e6961312aa824a0a45ab361b5c.583edf775d3952b6f0fdb292c207901d.acme.invalid
from 130.255.76.83:443. Received 2 certificate(s), first
certificate had names “legendshockeycamps.co.uk,
www.legendshockeycamps.co.uk”

Domain: preopmadesimple.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
7d68f3edf53e247305edd3b6ec9c97ac.1adbed780d3e52bcb28f789a7cf0f424.acme.invalid
from 130.255.76.83:443. Received 2 certificate(s), first
certificate had names “legendshockeycamps.co.uk.co.uk,
www.legendshockeycamps.co.uk”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

I would like to continue with auto certbot as it is very useful!

rg305 · June 9, 2017, 2:37pm

This is most likely an IPv4/IPv6 issue.
But without the domain name there is now way to be sure.

My best guess is…

Try resolving your domain with global DNS system.
If they return IPv6 addresses, then you must either:

ensure IPv6 is supported on your system
or
remove the IPv6 IP form DNS.

schoen · June 9, 2017, 6:31pm

I have a post about the most common reasons for this problem at

schoen · June 9, 2017, 6:33pm

@rg305, even though IPv6 issues have been quite an epidemic recently, I don’t think they’re likely to blame here because the resolved IP address was 130.255.76.83—a working IPv4 address.

danclayton · June 11, 2017, 5:15pm

@rg305 , @schoen
The domains are preopmadesimple.com and legendshockeycamps.com (with www equivalents).

Preopmadesimple.com was set up first, I was trying to add the other. But now, when I try to add domains it says first certificate had names legendshockeycamps.co.uk …

The DNS is all okay I am mostly sure.

rg305 · June 11, 2017, 11:29pm

legendshockeycamps.com: Non-existent domain
www.legendshockeycamps.com: Non-existent domain

Can you elaborate on [quote="danclayton, post:5, topic:35821"]
But now, when I try to add domains it says first certificate had names legendshockeycamps.co.uk ...
[/quote]

Both sites (preopmadesimple.com & legendshockeycamps.co.uk) are up and appear to be serving their own certificates correctly.

danclayton · June 12, 2017, 9:01am

@rg305

Many apologies, I meant legendshockeycamps.co.uk

The certificates are functioning currently, however, the error trace above shows the result of: certbot renew --dry-run

rg305 · June 12, 2017, 9:14am

Not sure why but the request on that IP using SNI returns the correct cert:
subject=/CN=www.preopmadesimple.com
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

However, without SNI it does return the cert shown in the error message above:
subject=/CN=www.legendshockeycamps.co.uk
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

So, it would seem that the TLS-SNI challenge is failing to correctly request the SNI.

system · July 12, 2017, 9:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Incorrect validation certificate for tls-sni-01 challenge again and again Help	14	3199	September 2, 2017
Certbot - TLS-SNI Apache Challenge Doesn't Pass - Alternatives Help	14	2929	June 29, 2017
Certbot fails for subdomain - TLS-SNI-01 challenge receives wrong certificate Help	7	1919	February 5, 2018
Incorrect validation certificate for tls-sni-01 challenge. certbox --apache -d Help	6	1619	September 19, 2017
Certbot - Expected Certificate different from what presented - TLS-SNI challenge Help	4	1212	July 12, 2017

Certbot run - Incorrect validation certificate for tls-sni-01 challenge

Related topics