Certbot - TLS-SNI Challenge Failes Due to IPV6 and IPV6 Addresses Being Fielded by Different Servers

Help
1

Please fill out the fields below so we can help you better.

My domain is: support.pynso.io

I ran this command: certbot --apache

It produced this output:

Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for support.pynso.io
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. support.pynso.io (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 00305081fb79cf33698be2967bfe98fb.f16ebf915b6eaa6c37e7db4ec26248d3.acme.invalid from [2607:f0d0:1102:8d:24::1d]:443. Received 3 certificate(s), first certificate had names “XXXXXX.es, www.XXXXXX.es

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: support.pynso.io
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    00305081fb79cf33698be2967bfe98fb.f16ebf915b6eaa6c37e7db4ec26248d3.acme.invalid
    from [2607:f0d0:1102:8d:24::1d]:443. Received 3 certificate(s),
    first certificate had names “XXXXXX.es, www.XXXXXX.es

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

My comments on the error:

The DNS A record is pointing to the right IP address:

dig support.pynso.io

; <<>> DiG 9.10.3-P4-Ubuntu <<>> support.pynso.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57704
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;support.pynso.io. IN A

;; ANSWER SECTION:
support.pynso.io. 3599 IN A 83.47.70.211

The domain mentioned by the error (Received 3 certificate(s), first certificate had names) is located at a server where the dns is hosted, it’s a completely different IP.

Can’t see what I’m doing wrong.

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I think the problem might be related to not having the apache server listening at 80 port. It’s only answering at 443. Could be this?

2

Hi @javinievas,

Take a look to this announcement Preferring IPv6 for challenge validation of dual-homed hosts

As a resume, your domain has 2 ips, one for ipv4 and one for ipv6. You have an apache on ipv4 and a nginx on ipv6. Let’s Encrypt is trying to validate your domain with ipv6 (nginx).

Cheers,
sahsanu

2 Likes
3

just following on from this

You can either fix this by disabling the IPV6 record temporarily or passing the challenge on you NGINX server.

Another option is to use the DNS Challenge.

Andrei

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.