Error issuing cert on migration

I migrated 2 of my domains from one machine using Ubuntu 14.04 to another using Cent OS 7.5. I had floating same ip for both my domains, so I just changed my floating ip. I copied /etc/letsencrypt folder from old machine to new machine using tar to preserve symlinks.

After migration I ran certbot renew --force-renewal to verify if certificates are issued properly. One of the domains which was using webroot authenticator got cert renewed. But another domain using nginx authenticator failed with error. The details are

My domain is: portal.furtherreach.net

I ran this command: certbot renew --force-renewal

It produced this output:

Processing /etc/letsencrypt/renewal/portal.furtherreach.net.conf

Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for portal.furtherreach.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (portal.furtherreach.net) from /etc/letsencrypt/renewal/portal.furtherreach.net.conf produced an unexpected error: Failed authorization procedure. portal.furtherreach.net (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 5efcf900c6626b0fd02f1493cf3ee311.839d95e98e138ff2def14e574b15ccb8.acme.invalid from 45.55.115.216:443. Received 2 certificate(s), first certificate had names “celerate-controller.furtherreach.net”. Skipping.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: portal.furtherreach.net
  Type: unauthorized
  Detail: Incorrect validation certificate for tls-sni-01 challenge.
  Requested
  5efcf900c6626b0fd02f1493cf3ee311.839d95e98e138ff2def14e574b15ccb8.acme.invalid
  from 45.55.115.216:443. Received 2 certificate(s), first
  certificate had names “celerate-controller.furtherreach.net”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): Cent OS 7.5

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi,

You are currently using a depreciated validation method, and this error happens because certbot can’t edit the certificate serving sequencies correctly to pass the validation. The method(certbot use now) is currently available only for existing subscribers, but would be phrases out soon

The easiest way to resolve this is to switch to http-01 validation, by adding --preferred-challenge http-01 after the renew commands.

This requires the website to serve the correct challenge files using http (at port 80), and it seems that there should not be any issue for you to switch to this method.

Thank you

Thanks a lot. It worked.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.