Debian GNU/Linux 7.9 (wheezy) failing --dry-run :(

Hi guys,

Love what you guys are doing!

I hope my noobness will be forgiven, and some kind soul can help.

I tried my best to google and apologies if this has been answered elsewhere. I am still learning and basically my knowledge is monkey see monkey do but slowly I am picking up on things as i go.

So I have Debian 7.9 as my VPS for my websites which I installed Vesta to manage them. I noticed in Vesta it has the option to Lets Encrypt for SSL. So i looked into it and ran Certbot. I tried to test it --dry-run but I got some errors:

root@s1:~# /certbot-auto renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/example.com.conf

Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for example.com
tls-sni-01 challenge for example.re
tls-sni-01 challenge for s1.example.re
tls-sni-01 challenge for www.example.re
tls-sni-01 challenge for www.example.com
Encountered vhost ambiguity but unable to ask for user guidance in non-interactive mode. Currently Certbot needs each vhost to be in its own conf file, and may need vhosts to be explicitly labelled with ServerName or ServerAlias directories.
Falling back to default vhost *:443…
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Failed authorization procedure. s1.example.re (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 73b0947b8b0f20c1194975c524674c07.07ff8e49a54a8528e088d6f43bfe7093.acme.invalid from 100.11.11.100:443. Received 1 certificate(s), first certificate had names “7f0fd0bb425d57fd5fee843be3ef373f.68947d44c86302c1a452c16d0792fec9.acme.invalid, dummy”. Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: s1.example.re
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    73b0947b8b0f20c1194975c524674c07.07ff8e49a54a8528e088d6f43bfe7093.acme.invalid
    from 100.11.11.100:443. Received 1 certificate(s), first
    certificate had names
    "7f0fd0bb425d57fd5fee843be3ef373f.68947d44c86302c1a452c16d0792fec9.acme.invalid,
    dummy"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

Now in fairness I cant help to think maybe my setup is wrong but I have not had any errors so far and my sites have been running fine for a while using http.

I noticed that there was a strange domain name in the list of names which I have no idea why that is there and I think if I can remove that it will solve one issue, before I troubleshoot further.

s1.example.re

I would like to know how can I remove the name s1.example.re completely from my server? How does the Certbot find the names and am I able to find it and delete its directory completely?

Your help would be greatly appreciated.

:slight_smile:

Hi @Jon_k

No worries. You gave it a crack which is good.

Have a read of this article which explains how to use the certificates command with certbot to list managed certificates and delete if needed

Andrei

Domain: s1.example.re
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
73b0947b8b0f20c1194975c524674c07.07ff8e49a54a8528e088d6f43bfe7093.acme.invalid
from 100.11.11.100:443. Received 1 certificate(s), first
certificate had names
“7f0fd0bb425d57fd5fee843be3ef373f.68947d44c86302c1a452c16d0792fec9.acme.invalid,
dummy”

I think this is also problematic - from what i understand cetbot should create the right cert but it seems to be creating a wrong one.

Andrei

Hi @Jon_k,

Take a look in /etc/apache2, especially /etc/apache2/sites-available and /etc/apache2/sites-enabled.

Also, do you have a single configuration file in either of those directories that contains more than one virtualhost?

Hi ahaw021

I tried to run certbot certificates and certbot delete but i keep getting -bash: certbot: command not found

i figured out s1 from s1.example.re is my hostname. but why does it have one of my domains on the back of it?

Hi Schoen,

I navigated there and in both i found the text: # Powered by vesta

Since you're using certbot-auto and apparently have it in the root directory (which is not necessarily an ideal place to have installed it!), you should be running /certbot-auto wherever @ahaw021 (or any documentation) mentions certbot.

Are those really the only two files in /etc/apache2/sites-available?

I have never used Vesta but I suspect you might be having a conflict because I think Vesta has a built-in Let’s Encrypt client feature, which assumes you’ll use it from within Vesta rather than running a separate client like Certbot. Is it possible that you could use built-in Vesta features instead of Certbot to accomplish what you want?

Yes it does have the feature as a check option but it throws an “error code: 15” when i select it on one of my domains and the other domain it has an other error when i select lets encrypt “Error: LetsEncrypt account registration”

I followed this tutorial when I was setting it up: http://www.servermom.org/install-lets-encrypt-certificate-vestacp/

But i think that tutorial is out dated and may be the reason things are not working as it should.

I found the issue, PEBCAK error thought so.

The certbot dir was wrong I re-copied the path and generated the cert and boom working as intended.

thanks everyone for your help keep up the great work :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.