Challenge fails for a specific domain from a list of domains, I’m not sure what “sufficient authorization” means in this context:
root@nikki:~/code/certbot# ./letsencrypt-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: convalesco.org
2: miniflux.convalesco.org
3: notes.convalesco.org
4: www.convalesco.org
5: tinysignage.pandatsf.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/convalesco.org-0001.conf)
It contains these names: convalesco.org, miniflux.convalesco.org,
notes.convalesco.org, tinysignage.pandatsf.com
You requested these names for the new certificate: convalesco.org,
miniflux.convalesco.org, notes.convalesco.org, www.convalesco.org,
tinysignage.pandatsf.com.
Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for convalesco.org
tls-sni-01 challenge for miniflux.convalesco.org
tls-sni-01 challenge for notes.convalesco.org
tls-sni-01 challenge for www.convalesco.org
tls-sni-01 challenge for tinysignage.pandatsf.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.convalesco.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested fb89ed31e8cfd5e7c9216dcbde0f4e6a.c37041a7c02ed9b215fc333d64c8a8ca.acme.invalid from [2a05:d014:ba6:ab08:a259:1942:6fdc:e0d4]:443. Received 1 certificate(s), first certificate had names "bb242ab40a09383a73398a4f060072e8.aaf31b74869256b934327c2ccb278ccb.acme.invalid, dummy", tinysignage.pandatsf.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: tinysignage.pandatsf.com
Type: connection
Detail: Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- The following errors were reported by the server:
Domain: www.convalesco.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
fb89ed31e8cfd5e7c9216dcbde0f4e6a.c37041a7c02ed9b215fc333d64c8a8ca.acme.invalid
from [2a05:d014:ba6:ab08:a259:1942:6fdc:e0d4]:443. Received 1
certificate(s), first certificate had names
"bb242ab40a09383a73398a4f060072e8.aaf31b74869256b934327c2ccb278ccb.acme.invalid,
dummy"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
root@nikki:~/code/certbot# ./certbot-auto --version
certbot 0.23.0
Certs for all domains all upgraded without problems, but “www.convalesco.org” fails.