Error: Received 2 certificate(s), first certificate had names


#1

My domain is: https://support.ecomsilio.de

I ran this command: ./opt/letsencrypt/letsencrypt-auto renew

It produced this output:

[Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/support.ecomsilio.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for support.ecomsilio.de
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (support.ecomsilio.de) from /etc/letsencrypt/renewal/support.ecomsilio.de.conf produced an unexpected error: Failed authorization procedure. support.ecomsilio.de (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested d428ef7b112fadd19020b508a8ce6b50.5ffee2b7d2748753fe6fbba82d7c4af9.acme.invalid from 82.165.67.88:443. Received 2 certificate(s), first certificate had names "support.ecomsilio.de". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/support.ecomsilio.de/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/support.ecomsilio.de/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: support.ecomsilio.de
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   d428ef7b112fadd19020b508a8ce6b50.5ffee2b7d2748753fe6fbba82d7c4af9.acme.invalid
   from 82.165.67.88:443. Received 2 certificate(s), first certificate
   had names "support.ecomsilio.de"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
Further Information

Certbot Version: 0.27.1

My web server is (include version): 1&1 cloud server

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: 1&1

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The SSL certificate should be renewed automatically by a cronjob

* 2 * * 7 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

I was surprised when I received an email that the ssl certificate would expire soon. I ran the command but received the error above.

The installation was done as follows:

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt  
cd /opt/letsencrypt  
./letsencrypt-auto --nginx -d support.ecomsilio.de

Wenn asked Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access I chose option 2:

Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/zammad.conf

zammad.conf contains the following:

server {

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/support.ecomsilio.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/support.ecomsilio.de/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
    if ($host = support.ecomsilio.de) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name support.ecomsilio.de;
    return 404; # managed by Certbot


}

The server only has a IPv4 address.

58

I have tried to run as sudo and also with the option --preferred-challenges but so far I didn’t had any luck. Any ideas?

Thanks very much in advance,
Gijs


#2

Hi @gijsrutten

the tls-sni-01 challenge is deprecated. So it’s a good idea to switch to http - validation.

So try

sudo [path].../letsencrypt-auto --nginx --preferred-challenges http -d support.ecomsilio.de

Errors?


#3

Hi @JuergenAuer

Thanks a lot. That worked. But I was asked:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

I have chosen 2
Result:
Traffic on port 80 already redirecting to ssl in /etc/nginx/conf.d/zammad.conf

But since it needs an input, I can’t run this command automatically via a cron. But I guess there is some conf file where I can change the tls-sni-01 challenge to another challenge?!

Thanks,
Gijs


#4

or has the challenge been changed automatically?

I ran ./opt/letsencrypt/letsencrypt-auto renew --dry-run an received the following success message:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/support.ecomsilio.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for support.ecomsilio.de
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/support.ecomsilio.de/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/support.ecomsilio.de/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

#5

Yep, now I see new new certificate :wink:

Yep, normally, certbot should change the challenge type.

Use

sudo letsencrypt-auto certificates

to see, how many certificates certbot knows.

There is a configuration file under

/etc/letsencrypt/renewal

there you should see that.

The redirect works, this shouldn’t be a renew problem.


#6

Hi,

@JuergenAuer 's previous comment make a new certificate instead of change the existing certificate configuration.

You should run ./opt/letsencrypt/letsencrypt-auto renew --dry-run --preferred-challenge http

This command will convert the renewal from TLS-SNI validation to http based…

Thank you


#7

Thanks Steven,

I will give that a try. I will have to set up a new server anyway but with the same configuration. I will set ip up that way and see if the auto renewal than works correctly. But I assume it should :slight_smile:


#8

Try direct

certbot certificates

Then you see if there are two or one certificate.

If there are two, remove the older with

certbot delete --cert-name thenameofthecertificatefromthefirstcommand


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.