Error issuing cert on migration


#1

I migrated 2 of my domains from one machine using Ubuntu 14.04 to another using Cent OS 7.5. I had floating same ip for both my domains, so I just changed my floating ip. I copied /etc/letsencrypt folder from old machine to new machine using tar to preserve symlinks.

After migration I ran certbot renew --force-renewal to verify if certificates are issued properly. One of the domains which was using webroot authenticator got cert renewed. But another domain using nginx authenticator failed with error. The details are

My domain is: portal.furtherreach.net

I ran this command: certbot renew --force-renewal

It produced this output:


Processing /etc/letsencrypt/renewal/portal.furtherreach.net.conf


Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for portal.furtherreach.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (portal.furtherreach.net) from /etc/letsencrypt/renewal/portal.furtherreach.net.conf produced an unexpected error: Failed authorization procedure. portal.furtherreach.net (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 5efcf900c6626b0fd02f1493cf3ee311.839d95e98e138ff2def14e574b15ccb8.acme.invalid from 45.55.115.216:443. Received 2 certificate(s), first certificate had names “celerate-controller.furtherreach.net”. Skipping.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: portal.furtherreach.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    5efcf900c6626b0fd02f1493cf3ee311.839d95e98e138ff2def14e574b15ccb8.acme.invalid
    from 45.55.115.216:443. Received 2 certificate(s), first
    certificate had names “celerate-controller.furtherreach.net

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): Cent OS 7.5

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi,

You are currently using a depreciated validation method, and this error happens because certbot can’t edit the certificate serving sequencies correctly to pass the validation. The method(certbot use now) is currently available only for existing subscribers, but would be phrases out soon

The easiest way to resolve this is to switch to http-01 validation, by adding --preferred-challenge http-01 after the renew commands.

This requires the website to serve the correct challenge files using http (at port 80), and it seems that there should not be any issue for you to switch to this method.

Thank you


#3

Thanks a lot. It worked.