Certbot TLS-SNI-01 : Not able to renew certificates

We receive the following error when trying to renew our certificate: Failed authorization procedure. www.chosting.dk (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested c65ca024f0e479656d0c24eb2a0d3a45.d5ef27b213f8c18a17270810a745afee.acme.invalid from 109.237.26.164:443. Received 2 certificate(s), first certificate had names “chosting.dk, www.chosting.dk

The renewal of our certificates has been running as a cron job for more than a year now, and this is the first time it’s causing issues.

Does anybody know why it stopped working?

Hi @DennisHermannsen,

It looks to me like you ACME client is initiating a TLS-SNI-01 challenge but when the CA performs the challenge request the response server on your end is giving back the wrong certificate (a normal cert for your website instead of the special TLS-SNI-01 challenge response certificate).

Can you please fill out the questions that are part of the Help area’s new topic template? It won’t be possible to help you without knowing more about your setup:

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

My domain is: chosting.dk

I ran this command: /root/certbot/certbot-auto renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/dev.chosting.dk-0001.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/chosting.dk-0001.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/chosting.dk.conf

Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for chosting.dk
tls-sni-01 challenge for www.chosting.dk
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/chosting.dk.conf produced an unexpected error: Failed authorization procedure. www.chosting.dk (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested e042136ee4070c133cb2d251d6a33a7d.1bb6e1ac807cf182c846a7a41f1bd657.acme.invalid from 109.237.26.164:443. Received 2 certificate(s), first certificate had names "chosting.dk, www.chosting.dk". Skipping.


Processing /etc/letsencrypt/renewal/dev.chosting.dk.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/dev.chosting.dk-0001/fullchain.pem (skipped)
/etc/letsencrypt/live/chosting.dk-0001/fullchain.pem (skipped)
/etc/letsencrypt/live/dev.chosting.dk/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chosting.dk/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: www.chosting.dk
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
e042136ee4070c133cb2d251d6a33a7d.1bb6e1ac807cf182c846a7a41f1bd657.acme.invalid
from 109.237.26.164:443. Received 2 certificate(s), first
certificate had names "chosting.dk, www.chosting.dk"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): Apache/2.2.22

The operating system my web server runs on is (include version): Debian 7

My hosting provider, if applicable, is: Hosted on a VPS from Linode

I can login to a root shell on my machine: Yes

I'm using a control panel to manage my site: No

Hi @DennisHermannsen,

Could you post the associated log file from /var/log/letsencrypt?

Sure, see here: https://pastebin.com/hR9UCCEg

Thanks for sharing the log file.

So, you were running Certbot directly on the web server at 109.237.26.164 that hosts your site?

@bmw, any idea why Certbot was unable to configure Apache to serve the challenge certificate? It looks like it did something relatively reasonable and then I think Apache didn’t seem to know about the challenge when it was verified.

Yes, I was running it from the web server. We’ve had the website hosted with Linode on that IP for years and no changes have been made for a while.
På 17-07-2017 21:50:33, Seth Schoen letsencrypt@discoursemail.com skrev:
schoen [https://community.letsencrypt.org/u/schoen] Certbot engineer / EFF
July 17
Thanks for sharing the log file.
So, you were running Certbot directly on the web server at 109.237.26.164 that hosts your site?
@bmw [https://community.letsencrypt.org/u/bmw], any idea why Certbot was unable to configure Apache to serve the challenge certificate? It looks like it did something relatively reasonable and then I think Apache didn’t seem to know about the challenge when it was verified.
Visit Topic [Certbot TLS-SNI-01 : Not able to renew certificates] or reply to this email to respond.
In Reply To
DennisHermannsen [https://community.letsencrypt.org/u/dennishermannsen]
July 17
Sure, see here: https://pastebin.com/hR9UCCEg [https://pastebin.com/hR9UCCEg]
Visit Topic [Certbot TLS-SNI-01 : Not able to renew certificates] or reply to this email to respond.
To unsubscribe from these emails, click here [https://community.letsencrypt.org/email/unsubscribe/14786d8b1ed6ea035e515b18853b4df7cba1035709c381b620c5f28c6685731e].

Looking at the log file, it looks like Certbot is setting up the temporary virtual host necessary to complete the challenge for www.chosting.dk like this:

<VirtualHost 127.0.0.1:443>
...

It’s basing this off of what it believes to the vhost for www.chosting.dk. Do you have a similar vhost (probably for a different port) with a ServerName or ServerAlias of www.chosting.dk? If you’re able to do so, removing this directive should solve the problem.

Do you have a similar vhost (probably for a different port) with a ServerName or ServerAlias of www.chosting.dk?

I'm fairly certain that I don't. Here's the configured vhosts:

root@server:~# apachectl -S
VirtualHost configuration:
127.0.0.1:80           dev.chosting.dk (/etc/apache2/sites-enabled/chosting.apache:2)
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server chosting.dk (/etc/apache2/sites-enabled/chosting.apache:97)
         port 443 namevhost chosting.dk (/etc/apache2/sites-enabled/chosting.apache:97)
         port 443 namevhost dev.chosting.dk (/etc/apache2/sites-enabled/dev.chosting.dk-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server chosting.dk (/etc/apache2/sites-enabled/chosting.apache:28)
         port 80 namevhost chosting.dk (/etc/apache2/sites-enabled/chosting.apache:28)
         port 80 namevhost dev.chosting.dk (/etc/apache2/sites-enabled/chosting.apache:66)

Anyone got an idea? The certificate will expire today.

I’ve got the same problem (also on a Linode VPS). Been trying to solve it for days now.

Got my SSL Certs working.

  • Didn’t really fix it through Certbot however (or with adding the files in the “.well-know/acme-challenge” folder ). Didn’t know if it was a 443 port problem, IPV4 vs IPV6, or reading the file as HTML instead of as a txt file. If you get it working, let us know what the problem was.

I was able to get the SSL Certs by using the “Manual Verification (DNS)” method of adding the TXT record in the DNS Manager in Linode. It takes a while (ie few hours) before it propagates so keep the page open (ie https://www.sslforfree.com/create?domains=example.com) and keep verifying the for the DNS TXT record until it’s updated.

Have not found any forums that addresses the problems with installing LetsEcrypt SSL Certs specifically on Linode, so hopefully this helps other people having issues.

It seems that I was also able to create the certificate using ./certbot-auto --manual --preferred-challenges dns certonly

Please note that certbot renew is not able to renew certificates obtained this way. It will ignore them with an error about the inability to perform a manual process automatically.

Well, I was desperate. Certificate was expiring in a few hours, and it didn’t seem like anyone had any idea why it wasn’t able to renew the certficate. I might try my luck by doing everything from scratch again.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.