Certificate rewenal failure - incorrect validation certificate for tls-sni-01 challenge


#1

Renewal suddenly failed for my domain, although the site itself was fully working for months and has previously renewed successfully. I think there’s an issue with the nginx server responding to the validation request with the cert for a subdomain first, but I’m not sure why that would have started happening. I have made changes to the config for that subdomain more recently but all I actually did was make it hard 404, so I can’t see why that would matter.

Additionally, can anyone tell me what the best procedure to test changes to an existing domain to get renewal working again is please? Actually trying to test changes to my setup to fix this has resulted in me getting rate limited. It would be good if error messages from certbot could be improved, preferably including some kind of clear warning about the rate limiting countdown. At the moment there’s no user-friendly information in them, which means if you do what I did (make some educated guesses, make some server changes and try them out by entering the renew command again) you just end up rate limited without warning.

Once I investigated the rate limiting rule I only found out existed from the “you have been rate limited” error I learned Let’s Encrypt also can’t remove it, which makes not warning people about it incredibly inconvenient. My website is now effectively down for the next week because I can’t fix the certificate. When the risk and consequences of an outcome are both so high, it’s nice to warn people before they trip them.

My domain is:
tkitchin.co.uk

I ran this command:
certbot renew -q

It produced this output:

My web server is (include version):
nginx 1.10.3

The operating system my web server runs on is (include version):
Ubuntu 16.04.4

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#2

Hi @tom-kitchin

there is one certificate with two names:

https://tkitchin.co.uk/
https://twodaemon.co.uk/

And the tls-sni-01 - challenge is deprecated. But there is a http - port 80.

Use the http-01 - challenge instead.

https://crt.sh/?q=tkitchin.co.uk

https://crt.sh/?q=twodaemon.co.uk

You didn’t create new certificates. So you didn’t hit the certificate per domain - limit, instead the requests per names.

Try to create a certificate only for one name. That should work. And: There is a certbot-option using the testsystem. Try that first.


#3

Thanks for the response. I’d not had any previous issues with the double named certificate, but sure, I can try that.

I wasn’t aware that challenge was deprecated, though. Probably worth adding that to the error response as well! And I can use the http-01 challenge, but I had thought one of the goals of let’s encrypt was that I shouldn’t provide an unsecured site anyway - my current server configuration hard redirects all HTTP requests to HTTPS.


#4

You didn’t create new certificates. So the rate limit comes from too much new orders. But there counts the domain-name - set. A new domain-name-set starts with 0.

So you should create two single certificates (one per name) immediately. In three months (or two weeks, wenn there is no limit), you can again create one certificate with two names.

that I shouldn’t provide an unsecured site anyway

You can use a redirect to https, but the first request is http / port 80. Or check the dns-01-validation.

my current server configuration hard redirects all HTTP requests to HTTPS.

@schoen wrote in a previous post that such redirects are ok. Chain errors or outdated certificates are ignored, so that should work.

But I use often the test / stage-system before creating a productive certificate.


#5

The failed validation rate limit is per hostname per hour (per account). Unlike the duplicate certificate rate limit, the overall list of names isn’t relevant to it.

This topic was started more than an hour ago; if that was the rate limit encountered, it’s no longer an issue now.


#6

Oh? That’s good to know, thanks. When I googled rate limiting I just got a page talking about week-long rate limiting, an hour is much easier to deal with.


#7

There are different rate limits:

If you create a correct certificate, next day again (same set of domainnames), every day a certificate:

If you have 5 certificates, the next day you can’t create a new.

But

https://crt.sh/?q=tkitchin.co.uk

shows that you didn’t create one.


#8

I had other commitments yesterday and couldn’t work on it after our discussion, then came back to work on it this morning only to discover the certificate had been successfully created in the cron job last night, with nothing else having changed. Was an auth server struggling yesterday or something?


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.