Challenge Fails


#1

Challenge fails for a specific domain from a list of domains, I’m not sure what “sufficient authorization” means in this context:

root@nikki:~/code/certbot# ./letsencrypt-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: convalesco.org
2: miniflux.convalesco.org
3: notes.convalesco.org
4: www.convalesco.org
5: tinysignage.pandatsf.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/convalesco.org-0001.conf)

It contains these names: convalesco.org, miniflux.convalesco.org,
notes.convalesco.org, tinysignage.pandatsf.com

You requested these names for the new certificate: convalesco.org,
miniflux.convalesco.org, notes.convalesco.org, www.convalesco.org,
tinysignage.pandatsf.com.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for convalesco.org
tls-sni-01 challenge for miniflux.convalesco.org
tls-sni-01 challenge for notes.convalesco.org
tls-sni-01 challenge for www.convalesco.org
tls-sni-01 challenge for tinysignage.pandatsf.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.convalesco.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested fb89ed31e8cfd5e7c9216dcbde0f4e6a.c37041a7c02ed9b215fc333d64c8a8ca.acme.invalid from [2a05:d014:ba6:ab08:a259:1942:6fdc:e0d4]:443. Received 1 certificate(s), first certificate had names "bb242ab40a09383a73398a4f060072e8.aaf31b74869256b934327c2ccb278ccb.acme.invalid, dummy", tinysignage.pandatsf.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: tinysignage.pandatsf.com
   Type:   connection
   Detail: Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: www.convalesco.org
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   fb89ed31e8cfd5e7c9216dcbde0f4e6a.c37041a7c02ed9b215fc333d64c8a8ca.acme.invalid
   from [2a05:d014:ba6:ab08:a259:1942:6fdc:e0d4]:443. Received 1
   certificate(s), first certificate had names
   "bb242ab40a09383a73398a4f060072e8.aaf31b74869256b934327c2ccb278ccb.acme.invalid,
   dummy"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

    root@nikki:~/code/certbot# ./certbot-auto --version
    certbot 0.23.0

Certs for all domains all upgraded without problems, but “www.convalesco.org” fails.


#2

Does your site work via IPv6?
If not, remove the AAAA DNS record.
Does it also work under IPv6 with TLS?
If not, ensure it does then try it again.


#3

Yes, IPv6 and TLS work for the root domain along with 2 subdomains but the third subdomain, ‘www’ doesn’t work.


#4

Are you saying the third domain does not work via IPv6 without TLS?
If not, please clarify.


#5

All domains work with IPv6. I have an AAAA and A record to the root domain and the subdomains are CNAMEs to the root (convalesco.org).

IPv6 works for all of them. TLS works too, but ‘www’ cannot be authorized by letsencrypt. I always get the same error. To clarify a bit:

$ curl notes.convalesco.org -6 -L -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.2
Date: Wed, 11 Apr 2018 07:06:46 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://notes.convalesco.org/
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

HTTP/1.1 401 Unauthorized
Server: nginx/1.12.2
Date: Wed, 11 Apr 2018 07:06:46 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Private"
X-Xss-Protection: 1; mode=block



$ curl www.convalesco.org -6 -L -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.2
Date: Wed, 11 Apr 2018 07:06:58 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://www.convalesco.org/
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

curl: (51) SSL: no alternative certificate subject name matches target host name 'www.convalesco.org'

The first domain has a basic authentication setup, so it fails with 401 because I didn’t issue credentials. The second domain fails in the SSL handshake because “letsencrypt”


#6

After deleting everything with certbo-auto delete and re-issuing the certs everything worked. Thanks for the help @rg305 !


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.