Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output:
Failed authorization procedure. mail.it-h.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested db41f1ba3c7454f5e65032d744158005.5197365a8c5e7dd4f7746f30fc5bcc11.acme.invalid from 47.187.64.174:443. Received 2 certificate(s), first certificate had names “it-h.net”
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: mail.it-h.net
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
db41f1ba3c7454f5e65032d744158005.5197365a8c5e7dd4f7746f30fc5bcc11.acme.invalid
from 47.187.64.174:443. Received 2 certificate(s), first
certificate had names “it-h.net”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): Apache2
The operating system my web server runs on is (include version): Ubuntu 14.04 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NONE
I was able to authorize the main server it-h.net with no problem.
There seems to be some confusion in your system.
The certbot thinks you have two certs: it-h.net mail.it-h.net
(both resolve to same IPv6 address = good)
And is trying to renew them both…
But there has been no cert issued for mail.it-h.net (https://crt.sh/?q=mail.it-h.net)
Please show:
sudo certbot --version
sudo certbot certificates
A simple fix might be:
sudo certbot --apache -d it-h.net -d mail.it-h.net
(which should provide you with one new cert with both names on it)
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for it-h.net
tls-sni-01 challenge for mail.it-h.net
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. it-h.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 962dcea600a211c991f09537a870a140.d950eddcc240eeaaee4e1d38c379704e.acme.invalid from 47.187.64.174:443. Received 2 certificate(s), first certificate had names “it-h.net”, mail.it-h.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 5e5ff820e6672e2e2f913d72ddef2b5f.b8178ab0d624d6a0ac906260f1cf2abc.acme.invalid from 47.187.64.174:443. Received 2 certificate(s), first certificate had names “it-h.net”
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: it-h.net
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
962dcea600a211c991f09537a870a140.d950eddcc240eeaaee4e1d38c379704e.acme.invalid
from 47.187.64.174:443. Received 2 certificate(s), first
certificate had names “it-h.net”
Domain: mail.it-h.net
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
5e5ff820e6672e2e2f913d72ddef2b5f.b8178ab0d624d6a0ac906260f1cf2abc.acme.invalid
from 47.187.64.174:443. Received 2 certificate(s), first
certificate had names “it-h.net”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I don’t know how to do that with this tool. It is worth noting that it-h.net is on its own box while the mail server (mail.it-h.net) is on a separate machine.
Let’s Encrypt cannot verify you own mail.it-h.net because you are performing the validation procedure with certbot on a different machine. You must obtain the certificate for mail.it-h.net by running certbot on that machine instead.
I suspect you are missing the following line somewhere in your Apache configuration:
NameVirtualHost *:443
If you run grep -r NameVirtualHost /etc/apache2 does it return the above line?
If not, add it to your Apache configuration, either somewhere at the top level or within an existing <IfModule mod_ssl.c> block.
Note that if you do not use virtual hosts, Apache will display a warning that this line is not necessary, and it isn’t for normal operation but it is when certbot is performing validation. So you can safely ignore this warning.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for it-h.net
Waiting for verification...
Cleaning up challenges
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/it-h.net/fullchain.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/it-h.net/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
There is no way for me to get a certification on the second machine? My main site does show it is secure https://it-h.net
Ok, so for now so that I am up and running the way I am intended… I have put the web and mail server onto the same physical box… Maybe later on there will be a way to have all the names on the main machine and a mail.it-h.net can query it-h.net and see it has a cert there to install?
One of the purposes of separating services among different machines is to protect the other machines in the event one is compromised. You really don’t want it-h.net to know mail.it-h.net’s private key unless you have a really good reason.
So, the simplest and most secure solution is to just run certbot on each machine to obtain each one its own certificate.
If your concern was that you didn’t want to run a web server on your mail server, certbot has a standalone mode that runs a temporary one so you don’t need Apache or Nginx installed.
There are ways to obtain certificates using other machines than the one actually running on the domain, but it’s difficult to suggest a strategy for that without understanding why you want to do that in first place.