Changed domain, now certbot fails with 2 certificates received

kimolas · July 18, 2017, 10:10pm

Please fill out the fields below so we can help you better.

My domain is: nick.stat.cmu.edu, although it was previously kimolas.stat.cmu.edu. After I changed my domain, I deleted my old site and reran certbot. Now I am encountering a verification error.

I ran this command: sudo certbot --apache certonly

It produced this output:

Performing the following challenges:
tls-sni-01 challenge for nick.stat.cmu.edu
No vhost exists with servername or alias of: nick.stat.cmu.edu (or it's in a file with multiple vhosts, which Certbot can't parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
Falling back to default vhost *:443...
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. nick.stat.cmu.edu (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 742a80b5c16185f658bf33406ae83946.2818f3cebdc46fdb6b5881f78fe966b7.acme.invalid from 128.2.46.203:443. Received 2 certificate(s), first certificate had names "nick.stat.cmu.edu"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nick.stat.cmu.edu
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   742a80b5c16185f658bf33406ae83946.2818f3cebdc46fdb6b5881f78fe966b7.acme.invalid
   from 128.2.46.203:443. Received 2 certificate(s), first certificate
   had names "nick.stat.cmu.edu"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache/2.4.25 (Unix)

The operating system my web server runs on is (include version): macOS 10.12.5

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): macOS Server

schoen · July 18, 2017, 10:14pm

Hi @kimolas,

Certbot is having trouble parsing your Apache configuration. Can you find which Apache configuration file defines the VirtualHost nick.stat.cmu.edu, and post it here?

kimolas · July 18, 2017, 10:26pm

I have several configuration files:

0000_127.0.0.1_34543_.conf
0000_127.0.0.1_34543_.conf.default
0000_127.0.0.1_34543_.conf.orig
0000_127.0.0.1_34543_.conf.prev
0000_127.0.0.1_34580_.conf
0000_127.0.0.1_34580_.conf.default
0000_127.0.0.1_34580_.conf.orig
0000_127.0.0.1_34580_.conf.prev
0000_127.0.0.1_34580_nick.stat.cmu.edu.conf
0000_127.0.0.1_34580_nick.stat.cmu.edu.conf.prev
virtual_host_global.conf
virtual_host_global.conf.default
virtual_host_global.conf.orig
virtual_host_global.conf.prev

I suppose the first nick.stat.cmu.edu.conf file may be relevant:

<VirtualHost 127.0.0.1:34580>
    ServerName http://nick.stat.cmu.edu:80
    ServerAdmin admin@example.com
    DocumentRoot "/Users/kimolas/website"
    DirectoryIndex index.html index.php default.html
    CustomLog /var/log/apache2/access_log combinedvhost
    ErrorLog /var/log/apache2/error_log
    <IfModule mod_ssl.c>
            SSLEngine Off
            SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
            SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
            SSLProxyEngine Off
            SSLProxyProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
            SSLProxyCheckPeerCN off
            SSLProxyCheckPeerName off
    </IfModule>
    <IfModule mod_secure_transport.c>
            MSTEngine Off
            MSTCipherSuite HIGH, MEDIUM
            MSTProtocolRange TLSv1.2 TLSv1.2
            MSTProxyEngine On
            MSTProxyProtocolRange TLSv1.2 TLSv1.2
    </IfModule>
    <Directory "/Users/kimolas/website">
            Options All +Indexes -ExecCGI -Includes +MultiViews
            AllowOverride All
            <IfModule mod_dav.c>
                    DAV Off
            </IfModule>
            <IfDefine !WEBSERVICE_ON>
                    Require all denied
                    ErrorDocument 403 /customerror/websitesoff403.html
            </IfDefine>
    </Directory>
</VirtualHost>

schoen · July 18, 2017, 10:29pm

I think this is a bug.

ServerName http://nick.stat.cmu.edu:80

I believe the correct Apache syntax is just ServerName nick.stat.cmu.edu; I think putting a URL in the ServerName stanza is actually prohibited.

kimolas · July 18, 2017, 11:19pm

I changed it, but certbot still returns the same error message. In any case, the apache config file was generated by macOS Server and it was likely the same with my old site, for which certbot did work.

schoen · July 18, 2017, 11:37pm

@bmw, could I ask you to get involved here? There are a lot of Apache configuration files involved this time.

kimolas · July 19, 2017, 4:56pm

Thanks for all of your help! I was able to get around this by nuking my macOS Server install (deleting everything, including /Library/Server) and using --webroot instead of --apache.

system · August 18, 2017, 4:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.