Error on certificate renew

Hello.

Doest anybody cah help me with this issue.
I’m trying to renew certificate for the domain flags.api.ivanvorobei.by but getting the following error:
Failed authorization procedure. flags.api.ivanvorobei.by (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 293247b49e50aeae751c988accdb93e4.9a21d7453f3b1fa2616380ea8e693a13.acme.invalid from [2a0a:7d80:1:7::96:19d]:443. Received 2 certificate(s), first certificate had names “*.hoster.by, hoster.by

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: flags.api.ivanvorobei.by
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   293247b49e50aeae751c988accdb93e4.9a21d7453f3b1fa2616380ea8e693a13.acme.invalid
   from [2a0a:7d80:1:7::96:19d]:443. Received 2 certificate(s), first
   certificate had names "*.hoster.by, hoster.by"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Hi @alexsergin,

There is some difference in the virtual host configuration between the IPv4 and IPv6 versions of this service, which is probably the reason for this error. If you visit https://flags.api.ivanvorobei.by/ in IPv4 and in IPv6, you receive different HTTPS certificates. (By contrast, the http:// version of this service returns an apparently identical redirect in both protocols.)

The certificate authority is performing its checks over IPv6, but apparently the virtual host could not be reconfigured to pass the challenge. If you can ensure that the same virtual host configuration is used for both protocols (or in the worst case remove the IPv6 record if you didn’t intend to support IPv6 on this host), the challenge should be able to pass.

I’ve removed IPv6 listener from virtual host but still getting an error.
Here is my nginx virtual host configuration:
server {
listen 80;

        server_name flags.api.ivanvorobei.by;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        location / {
                proxy_pass http://backend/flagsapi/;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass_header Set-Cookie;
                proxy_redirect off;

                # WebSocket support (nginx 1.4)
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                rewrite ^/flagsapi/(.*)$ /$1 last;
        }


}

And netstat also showing that port was listened only in IPv4
root@balancer:/etc/nginx/sites-enabled# netstat -an | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
unix 7 [ ] DGRAM 8580 /run/systemd/journal/socket
unix 3 [ ] STREAM CONNECTED 16980 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 15580 /run/systemd/journal/stdout

But in the letsencrypt.log I see the following lines:
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/jCHbugYoklLfKhf3JgJOeR1JMi_r7aS-HhZuKaGBPuU/2429173768”,
“token”: “Rpexs442RNPgcTm0T2ko5LSmPaT6xxSpOMobBSS6CeE”,
“keyAuthorization”: “Rpexs442RNPgcTm0T2ko5LSmPaT6xxSpOMobBSS6CeE.t3J9mwcJs0lJ5jPelnqdkNHQcDSJVxDzWGpHO5BpzDY”,
“validationRecord”: [
{
“hostname”: “flags.api.ivanvorobei.by”,
“port”: “443”,
“addressesResolved”: [
“188.166.54.64”,
“2a0a:7d80:1:7::96:19d”
],
“addressUsed”: “2a0a:7d80:1:7::96:19d”,
“addressesTried”: []
}

Seems it still using IPv6 address. How can I disable it?

@schoen Thank you very much. Seems I’ve resolved issue. Just removed AAAA record from the DNS.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.