Certificate renewal on Ubuntu 16.4 failed


#1

Hey alltogether,
i am running a nextcloud instance on normal Ubuntu 16.4 on a Server physically accessible (via mouse and keyboard :slight_smile: ) The nextcloud instance uses the apache webserver and a Maria DB database and is SSL enabled. The SSL certificate was issued approximately three months ago and is now due to renewal. I tried every conbination of certbot, certbot-auto and letsencrypt with certonly and renew, but the error report produced is always similar and seems to be due to an failing

tls-sni-01 challenge

order. I’ve tried using certbot-auto as a recommended workaround, but that did not work as well. The nextcloud instance is not issued on the standard ssl 443 port but on 59something which is forwarded to the server but after the first activation failures i also forwarded the ports 80 and 443 as an attempt to fix the problem.

My domain is: oyww4c0bpu19bu3w.myfritz.net

I ran this command: sudo certbot/letsencrypt/certbot-auto renew, sudo certbot/letsencrypt/certbot-auto certonly

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/oyww4c0bpu19bu3w.myfritz.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for oyww4c0bpu19bu3w.myfritz.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (oyww4c0bpu19bu3w.myfritz.net) from /etc/letsencrypt/renewal/oyww4c0bpu19bu3w.myfritz.net.conf produced an unexpected error: Failed authorization procedure. oyww4c0bpu19bu3w.myfritz.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 76d7d71e07af9de7dc270104a581d445.feac59b3b2da8bf4fd651dde36089a7d.acme.invalid from 91.40.222.93:443. Received 1 certificate(s), first certificate had names “fritz.box, fritz.nas, kagonet, myfritz.box, oyww4c0bpu19bu3w.myfritz.net, www.fritz.box, www.fritz.nas, www.myfritz.box”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
_ /etc/letsencrypt/live/oyww4c0bpu19bu3w.myfritz.net/fullchain.pem (failure)_

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
_ /etc/letsencrypt/live/oyww4c0bpu19bu3w.myfritz.net/fullchain.pem (failure)_
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
_ - The following errors were reported by the server:_

_ Domain: oyww4c0bpu19bu3w.myfritz.net_
_ Type: unauthorized_
_ Detail: Incorrect validation certificate for tls-sni-01 challenge._
_ Requested_
_ 76d7d71e07af9de7dc270104a581d445.feac59b3b2da8bf4fd651dde36089a7d.acme.invalid_
_ from 91.40.222.93:443. Received 1 certificate(s), first certificate_
_ had names “fritz.box, fritz.nas, kagonet, myfritz.box,_
_ oyww4c0bpu19bu3w.myfritz.net, www.fritz.box, www.fritz.nas,_
_ www.myfritz.box”_

_ To fix these errors, please make sure that your domain name was_
_ entered correctly and the DNS A/AAAA record(s) for that domain_
_ contain(s) the right IP address._

My web server is (include version): Apache2 version 2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.4

I can login to a root shell on my machine (yes or no, or I don’t know): yes, and full Desktop access

Thanks in advance


#2

Perhaps read over this: IMPORTANT: What you need to know about TLS-SNI validation issues

Once you have upgraded Certbot as in the above post, perhaps then try:

certbot renew --preferred-challenges http

You’ll also need to make sure that your Apache server that Certbot is creating a certificate for is accessible on port 80. At the moment your Fritzbox control panel appears to be on that port instead.


#3

Thanks a lot, switching the challenge worked perfectely


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.