Certbot unable to validate certs on ip6

My domains are: [ https://bubblin.io, https://bookiza.io, https://bubbl.in ]

The first two domains are actual websites while the third one maps and redirects to the first domain name.

I ran this command:

$ curl -i6 http://bubblin.io

It produced this output:

301 Moved Permanently

Then I ran the following command:

$ curl -i6 https://bubblin.io

It produced the following output:

curl: (51) SSL: no alternative certificate subject name matches target host name 'bubblin.io'

Then I ran the following command:

$ sudo certbot --nginx

Output:-

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: bookiza.io

2: www.bookiza.io

3: bubbl.in

4: www.bubbl.in

5: bubblin.io

6: www.bubblin.io

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): [ Return ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

You have an existing certificate that contains a portion of the domains you

requested (ref: /etc/letsencrypt/renewal/bookiza.io.conf)

It contains these names: bookiza.io, www.bookiza.io

You requested these names for the new certificate: bookiza.io, www.bookiza.io,

bubbl.in, www.bubbl.in, bubblin.io, www.bubblin.io.

Do you want to expand and replace this existing certificate with the new

certificate?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(E)xpand/(C)ancel: E
Renewing an existing certificate

Performing the following challenges:

http-01 challenge for bookiza.io

tls-sni-01 challenge for bubbl.in

http-01 challenge for www.bookiza.io

tls-sni-01 challenge for www.bubbl.in

tls-sni-01 challenge for bubblin.io

tls-sni-01 challenge for www.bubblin.io

Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.bubblin.io (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested d657e901b0a5ab5c1e8ba64ea86c0394.5b33ba0638c2529b49326bec5d52093d.acme.invalid from [2600:3c00::f03c:91ff:fe56:3901]:443. Received 2 certificate(s), first certificate had names "bookiza.io, www.bookiza.io", bubblin.io (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 160d633f9b58a362e55e2bb7c92cbd1c.95df9f1d947b66e6131106db1ef890ab.acme.invalid from [2600:3c00::f03c:91ff:fe56:3901]:443. Received 2 certificate(s), first certificate had names "bookiza.io, www.bookiza.io"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.bubblin.io
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   d657e901b0a5ab5c1e8ba64ea86c0394.5b33ba0638c2529b49326bec5d52093d.acme.invalid
   from [2600:3c00::f03c:91ff:fe56:3901]:443. Received 2
   certificate(s), first certificate had names "bookiza.io,
   www.bookiza.io"

   Domain: bubblin.io
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   160d633f9b58a362e55e2bb7c92cbd1c.95df9f1d947b66e6131106db1ef890ab.acme.invalid
   from [2600:3c00::f03c:91ff:fe56:3901]:443. Received 2
   certificate(s), first certificate had names "bookiza.io,
   www.bookiza.io"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS

My hosting provider, if applicable, is: Linode.com

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Linode DNS Manager

Hi @marvindanig

the tls-sni-01 challenge is deprecated and isn't allowed with new domains. So try to use

sudo certbot --nginx --preferred-challenges http

1 Like

Awesome! Certbot has been able to install the certs correctly, thanks! How do I update the local installation of certbot to make sure it is able to handle autorenewals correctly?

1 Like

If I know it correct, certbot updates the configuration file. Check the file under

/etc/letsencrypt/renewal/CERTNAME

You can find your active certificates with

certbot certificates

There you see the certificate name.

2 Likes

Per my knowledge... Certbot uses TLS-SNI-01 on this domain is permitted, and the failure is not because that challenge is disabled (else it would return "Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.") The failure is because certbot is not able to modify the virtual host config that "set the invalid certificate before the working certificate to perform the authentication"

Thank you

3 Likes

@JuergenAuer, @stevenzhu’s interpretation is correct here. Still, your advice is helpful because it commonly works around various bugs (sometimes in older versions of Certbot) which there is no quite longer as much incentive (or opportunity!) to diagnose or fix due to the TLS-SNI-01 deprecation.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.