Deleted /etc/letsencrypt


#1

Hi @Schoen, I have this exact issue explained in this thread.

I was setting up a certificate for the domain slackapi.printo.in and did so successfully.
However, when I saw a lot of (what I believed was failed) config files, I decided to delete /etc/letsencrypt
Now, I am stuck and can’t generate a new certificate. I get the error below when I run

sudo letsencrypt --apache

 - The following errors were reported by the server:

   Domain: slackapi.printo.in
   Type:   unauthorized
   Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
   Requested 4c9fd46eb31b24d4dad7fbdaa0b066f3.dc2c556c224cb079e4938076
   78e81acb.acme.invalid from 111.93.158.11:443. Received 2
   certificate(s), first certificate had names "dccccc7e984b91ae074a59
   1ea9d2d8cc.060a30e7c7fd87bb8e19f2e35ac3508d.acme.invalid, dummy"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

This is an internal system (that is still being built) and https downtime is not a critical problem.
How can I start with a clean slate?

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"

Certs deleted and limit
#2

Hi @printo, could you take a look at your configuration files in /etc/apache2 and see if there is still some certificate configuration previously added by Certbot?

You could for example run grep -r ^SSLCert /etc/apache2 to find possible candidate configuration lines.


#3

Hi @schoen. I ran a slightly modified grep command:

sudo grep -r SSLCert /etc/apache2

and got the output:

/etc/apache2/sites-available/slackapi.conf:             #   SSLCertificateFile directive is needed.
/etc/apache2/sites-available/slackapi.conf:             #SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/slackapi.conf:             #SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-available/slackapi.conf:             #   Point SSLCertificateChainFile at a file containing the
/etc/apache2/sites-available/slackapi.conf:             #   the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/slackapi.conf:             #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
/etc/apache2/sites-available/default-ssl.conf:          #   SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf:          SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf:          SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-available/default-ssl.conf:          #   Point SSLCertificateChainFile at a file containing the
/etc/apache2/sites-available/default-ssl.conf:          #   the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/default-ssl.conf:          #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

#4

I managed to get it to work a few days later. I guess I had rate limit issues.

We know have a usable certificate. Stragely, the certificate serial number appears differently on different computers. Also, some of them say that it has been signed by Cyberaom, Avast etc.

I tried doing a renew and got the response as below:

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/slackapi.printo.in.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for slackapi.printo.in
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/slackapi.printo.in.conf produced an unexpected error: Failed authorization procedure. slackapi.printo.in (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested a2bd9de03c11010a89113f9901f25871.73e92af0dc1fad0709100c48a8cbe531.acme.invalid from 111.93.158.11:443. Received 2 certificate(s), first certificate had names "slackapi.printo.in". Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/slackapi.printo.in/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: slackapi.printo.in
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   a2bd9de03c11010a89113f9901f25871.73e92af0dc1fad0709100c48a8cbe531.acme.invalid
   from 111.93.158.11:443. Received 2 certificate(s), first
   certificate had names "slackapi.printo.in"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

#5

This is because of antivirus software on those computers. It’s the same practice complained about here:

Many of the antivirus applications intercept HTTPS connections in order to scan the content of the session. To do this, they add their own root CA to the system or browser and then act as a man-in-the-middle or intercepting proxy between the browser and the web server. On such systems, you would probably see every site’s certificate appear to have been issued by the antivirus vendor, unless they have explicitly whitelisted a handful of large or “trusted” sites to allow direct connections to those.

I gave a preview of some documentation I’m working on, with common reasons for this error, at

Maybe one of these reasons applies to your situation?


#6

Thanks for all your help @schoen. It was as the article explained.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.