Hey alltogether,
i am running a nextcloud instance on normal Ubuntu 16.4 on a Server physically accessible (via mouse and keyboard ) The nextcloud instance uses the apache webserver and a Maria DB database and is SSL enabled. The SSL certificate was issued approximately three months ago and is now due to renewal. I tried every conbination of certbot, certbot-auto and letsencrypt with certonly and renew, but the error report produced is always similar and seems to be due to an failing
tls-sni-01 challenge
order. I’ve tried using certbot-auto as a recommended workaround, but that did not work as well. The nextcloud instance is not issued on the standard ssl 443 port but on 59something which is forwarded to the server but after the first activation failures i also forwarded the ports 80 and 443 as an attempt to fix the problem.
My domain is: oyww4c0bpu19bu3w.myfritz.net
I ran this command: sudo certbot/letsencrypt/certbot-auto renew, sudo certbot/letsencrypt/certbot-auto certonly
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/oyww4c0bpu19bu3w.myfritz.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for oyww4c0bpu19bu3w.myfritz.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (oyww4c0bpu19bu3w.myfritz.net) from /etc/letsencrypt/renewal/oyww4c0bpu19bu3w.myfritz.net.conf produced an unexpected error: Failed authorization procedure. oyww4c0bpu19bu3w.myfritz.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 76d7d71e07af9de7dc270104a581d445.feac59b3b2da8bf4fd651dde36089a7d.acme.invalid from 91.40.222.93:443. Received 1 certificate(s), first certificate had names “fritz.box, fritz.nas, kagonet, myfritz.box, oyww4c0bpu19bu3w.myfritz.net, www.fritz.box, www.fritz.nas, www.myfritz.box”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
_ /etc/letsencrypt/live/oyww4c0bpu19bu3w.myfritz.net/fullchain.pem (failure)_
-------------------------------------------------------------------------------
All renewal attempts failed. The following certs could not be renewed:
_ /etc/letsencrypt/live/oyww4c0bpu19bu3w.myfritz.net/fullchain.pem (failure)_
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
_ - The following errors were reported by the server:_
_ Domain: oyww4c0bpu19bu3w.myfritz.net_
_ Type: unauthorized_
_ Detail: Incorrect validation certificate for tls-sni-01 challenge._
_ Requested_
_ 76d7d71e07af9de7dc270104a581d445.feac59b3b2da8bf4fd651dde36089a7d.acme.invalid_
_ from 91.40.222.93:443. Received 1 certificate(s), first certificate_
_ had names “fritz.box, fritz.nas, kagonet, myfritz.box,_
_ oyww4c0bpu19bu3w.myfritz.net, www.fritz.box, www.fritz.nas,_
_ www.myfritz.box”_
_ To fix these errors, please make sure that your domain name was_
_ entered correctly and the DNS A/AAAA record(s) for that domain_
_ contain(s) the right IP address._
My web server is (include version): Apache2 version 2.4.18 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 16.4
I can login to a root shell on my machine (yes or no, or I don’t know): yes, and full Desktop access
Thanks in advance