Certbot unauthorized

Hello.
I have two servers with Debian Jessie and Apache. One server is in production and I’ve used certbot to get the certificate. The other is for development and I used letsencrypt first version to get the certificate.

Now in development server I deleted the old certificate and tried to make a new one.

I have an issue that I can’t solve, I’ve read thousand of discussion but any works.

this is the response when I try :
Domain: www.domain.com Type: unauthorized Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested xxx.xxx.acme.invalid from [xxx:xxx:xxx:xxx::x]:443. Received 2 certificate(s), first certificate had names "domain.com, www.domain.com"

I try to certificate dev.domain.com

Someone can help me?
Thanks in advance

Sounds like when you try to authorise the dev site, Let’s Encrypt connects to the live site instead. Are you sure you’ve got your DNS properly configured?

yes, if i make a ping I get different ip . Do you know some better test to do?

It’s not a question of testing, it’s a question of setting the correct DNS records :stuck_out_tongue: If you’ve just updated them, you are probably going to have to wait for the new records to propagate through the DNS system. That can often take up to 24 hours.

Thanks kitserve, no update. I didn’t change the dns for years :slight_smile: I had this problem today when I delete the old working certificate and try to make a new one :frowning:

You’re going to have to explain this further. What exactly did you do, what happened, and what did you expect to happen?

I try to reproduce step-by-step what I’ve done:

  1. my certificate in development server was expired
  2. try to renew but I got some errors (it was made with first letsencrypt)
  3. I’ve updated letsencrypt
  4. I’ve erased the old certificates
  5. I made certbot --apache -d dev.domain.com
  6. certbot says "Incorrect validation certificate for tls-sni-01 challenge…
  7. now I can’t work :slight_smile:

This advice is usually true for web development, but it happens that it's a misconception when applied to Let's Encrypt. Differently from a web browser, Let's Encrypt never relies on DNS caching and always goes directly to the authoritative DNS server and gets the most recent version of the DNS records. So, DNS record propagation is not a factor in Let's Encrypt certificate issuance.

There can still be cases where you ask a provider to make DNS changes and they take some time to make the changes (because a human being is applying them or because a script only performs the changes once per hour or something), but these aren't the situations that people are usually referring to when they mention DNS propagation.

My dns entries are ok, development and production are in different ips, and the system worked till yesterday.
I don’t know how to manage this issue.
Misterious stuff is that I have another website dev/prod in two different servers but I haven’t any problems. Same procedure, different results.

The error that you see indicates that Certbot thought it reconfigured your Apache to pass the challenge by serving custom certificates, but nonetheless when the CA connected to verify this, it found a web server that didn’t know about those custom certificates. There are many potential reasons for this, including not running Certbot on the right server, having a middlebox that actually terminates TLS (like a CDN or firewall that has a valid certificate for the site), running an additional web server or reverse proxy that actually terminates TLS, or having an Apache configuration that Certbot can’t parse but thinks that it can.

Maybe you can take a look at your Apache logs to make sure that the connection from the CA was actually received by your Apache, and also whether Certbot successfully made it reload its configuration right before that point.

That’s interesting to learn, thanks!

Is it possible that you deleted the certificate that you use for authorization?

A wild guess…

Yes, I have deleted it.
When I try to reinstall I have “Certificate name mismatch” error.
I have used https://www.ssllabs.com/ssltest/analyze.html to check and I get this error.

So it’s technically my fault, but I don’t know why dns is not well configured. Before it worked and I haven’t made any change.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.