Error Renewing Certbot Certificates


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nomorestars.com, www.nomorestars.com, pod.nomorestars.com

I ran this command: certbot -renew

It produced this output:

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for nomorestars.com
tls-sni-01 challenge for pod.nomorestars.com
tls-sni-01 challenge for www.nomorestars.com
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/var/lib/letsencrypt/f36IWrhuD92nPeBkIjsc23I4h449VD_I9eZffVu7lNc.crt"
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/var/lib/letsencrypt/V7DAuxR66_k17cau0HTBbxFjhs33l-UeXwwC6uacFP0.crt"
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/var/lib/letsencrypt/3K76HP74U2rBJQlclZgkmLSnBNGUZcI7LFeJqkDn1D8.crt"
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (nomorestars.com) from /etc/letsencrypt/renewal/nomorestars.com.conf produced an unexpected error: Failed authorization procedure. www.nomorestars.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 4d151b8ee03744e606853300fe7a63df.de0b51802eb224771afb861a4306e8ba.acme.invalid from [2604:a880:400:d1::78b:7001]:443. Received 2 certificate(s), first certificate had names "nomorestars.com, pod.nomorestars.com, www.nomorestars.com", pod.nomorestars.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b04222bb8450a7bc68d882fc41b66a1e.245bfe973b20c9ac5fb9a0b5a1dae3dd.acme.invalid from [2604:a880:400:d1::78b:7001]:443. Received 2 certificate(s), first certificate had names "nomorestars.com, pod.nomorestars.com, www.nomorestars.com", nomorestars.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested bf9e9ab89ceada109873fd2fbdf275f9.22a841e9ddb4d5b60c3fe2f2b540ee65.acme.invalid from [2604:a880:400:d1::78b:7001]:443. Received 2 certificate(s), first certificate had names "nomorestars.com, pod.nomorestars.com, www.nomorestars.com". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/pod.nomorestars.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for pod.nomorestars.com
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/var/lib/letsencrypt/jxzITKO_Gp3KzYUHlH9yNM0iwCtg5dQkDbIoK_pP0ms.crt"
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (pod.nomorestars.com) from /etc/letsencrypt/renewal/pod.nomorestars.com.conf produced an unexpected error: Failed authorization procedure. pod.nomorestars.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 920080f8307eff3903b96dee6b4359bd.7ebdeccc4e69dc20bec366fdd07120a0.acme.invalid from [2604:a880:400:d1::78b:7001]:443. Received 2 certificate(s), first certificate had names "nomorestars.com, pod.nomorestars.com, www.nomorestars.com". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nomorestars.com/fullchain.pem (failure)
  /etc/letsencrypt/live/pod.nomorestars.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nomorestars.com/fullchain.pem (failure)
  /etc/letsencrypt/live/pod.nomorestars.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: pod.nomorestars.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   920080f8307eff3903b96dee6b4359bd.7ebdeccc4e69dc20bec366fdd07120a0.acme.invalid
   from [2604:a880:400:d1::78b:7001]:443. Received 2 certificate(s),
   first certificate had names "nomorestars.com, pod.nomorestars.com,
   www.nomorestars.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: www.nomorestars.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   4d151b8ee03744e606853300fe7a63df.de0b51802eb224771afb861a4306e8ba.acme.invalid
   from [2604:a880:400:d1::78b:7001]:443. Received 2 certificate(s),
   first certificate had names "nomorestars.com, pod.nomorestars.com,
   www.nomorestars.com"

   Domain: pod.nomorestars.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   b04222bb8450a7bc68d882fc41b66a1e.245bfe973b20c9ac5fb9a0b5a1dae3dd.acme.invalid
   from [2604:a880:400:d1::78b:7001]:443. Received 2 certificate(s),
   first certificate had names "nomorestars.com, pod.nomorestars.com,
   www.nomorestars.com"

   Domain: nomorestars.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   bf9e9ab89ceada109873fd2fbdf275f9.22a841e9ddb4d5b60c3fe2f2b540ee65.acme.invalid
   from [2604:a880:400:d1::78b:7001]:443. Received 2 certificate(s),
   first certificate had names "nomorestars.com, pod.nomorestars.com,
   www.nomorestars.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx 1.12.2

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is:Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no


#2

as a note, if I do a ‘dry-run’ i get a completely different error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nomorestars.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nomorestars.com
http-01 challenge for pod.nomorestars.com
http-01 challenge for www.nomorestars.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (nomorestars.com) from /etc/letsencrypt/renewal/nomorestars.com.conf produced an unexpected error: Failed authorization procedure. www.nomorestars.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.nomorestars.com/.well-known/acme-challenge/ruCbMyasohRzwds8C-CvRVOleLNMNZeYbZnwixsaojk: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/pod.nomorestars.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for pod.nomorestars.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/pod.nomorestars.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs could not be renewed:
  /etc/letsencrypt/live/nomorestars.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/pod.nomorestars.com/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/nomorestars.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.nomorestars.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.nomorestars.com/.well-known/acme-challenge/ruCbMyasohRzwds8C-CvRVOleLNMNZeYbZnwixsaojk:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

#3

Ok, so, what’s happening is somewhat complicated here. First off, your client is still using the tls-sni-01 challenge type (in the first example at least.) This has been deprecated for all new issuance, but is still enabled for renewals. At some point in the future, that will no longer be the case, so it may be worth moving to a different challenge type now.

Second, that error in the first example indicates that something else has completed the TLS handshake before the setup Certbot placed in your nginx config files. I see an IPv6 address there, so it’s possible this is routed differently, or you have a service like CloudFlare sitting in the middle that completed the TLS handshake first. Not going to spend too much time on this because I think it’s best to change to http-01 challenges anyway.

That brings us to the --dry-run failure. This one was using the http-01 challenge which involves attempting to retrieve a challenge file from the /.well-known/acme-challenge directory, as you see in the error message. In this case, your web server returned a 404. Usually that’s because something in your nginx config intercepted that request and didn’t actually serve the file as Certbot set it up. Could you post your /var/log/letsencrypt/letsencrypt.log?

(Side note, thank you for putting your command output as preformatted text!! Not many people do that, and it makes it so much easier.)


#4

Hi @trekkie

additional: Your certificate with one domain name pod.nomorestars.com was renewed.

So: Is there a difference between the configuration of pod.nomorestars.com and www.nomorestars.com?

That would explain that www.nomorestars.com/.well-known/acme-challenge/token sends a 404 instead the content of the file.


#5

Hi - sorry to hijack this thread, but is there some documentation on how to move to a different challenge type for renewals so that I don’t get taken unawares when tls-sni-01 isn’t supported?

Thanks.


#6

Hi,

Please do not hijack this thread…

And the answer to your question is, yes.

Use this flag (--preferred-challenge http to switch to http-01 validation, use --preferred-challenge DNS to switch to dns-01 validation)

Thank you


#7

Jared - Thank you for the reply, I didn’t get the notification due to a spam filter.

I use separate site config files for each of my sites, even though on the same server. pod.nomorestars.com is my diaspora pod, and www is my generic landing page.

I am using DigitalOcean droplet with nothing in-between me and my IP that I am aware of. I looked at DigitalOcean’s wikis on how to use letsencrypt and they mention nothing about them doing anything that would interfere, so I don’t think that’s it.

I do have IPV6 enabled, as I have a public IPV6 address on my host. I am mostly following best practices on how to secure as best as possible from Mozilla and Others, so my site files are a copy/paste or a ‘put in tool and we’ll help you be best practice’ from Mozilla. In the WWW I’d sepnt some time searching and found a couple ‘fix the ACME cert with a rewrite’ which don’t seem to fix my issue but I’ve not removed yet. i’ve trimmed stuff after the certbot section

My www site file is:

server {
    if ($host = www.nomorestars.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        server_name www.nomorestars.com nomorestars.com;
        rewrite ^ https://$host$request_uri permanent;
}

server {
        listen 443;
        listen [::]:443;
        server_name www.nomorestars.com nomorestars.com;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/nomorestars.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/nomorestars.com/privkey.pem; # managed by Certbot
        index index.html index.htm index.php;
        root /usr/share/nginx/html;
        location ^~ /.well-known/acme-challenge/ {
                alias /usr/share/nginx/html/acme-challenge/;
                }

my pod sites file is:

 server {
    listen 80;
    listen [::]:80;
    server_name pod.nomorestars.com;
    rewrite ^/(.*) https://pod.nomorestars.com/$1 permanent;
}


  server {
    listen 443;
    listen [::]:443;
    ssl on;
    server_name pod.nomorestars.com;
    root /home/diaspora/diaspora/public;

    # Configure maximum picture size
    # Note that Diaspora has a client side check set at 4M
    client_max_body_size 5M;
    client_body_buffer_size 256K;

    # SSL setup

    # This file should also include any necessary intermediate certificates
    # For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem
    ssl_certificate /etc/letsencrypt/live/nomorestars.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nomorestars.com/privkey.pem; # managed by Certbot

    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout 5m;

#8

Unfortunately the letsencrypt.log is too big for me to paste the most recent into, and it won’t let me attach a file. So i put it here

https://justpaste.it/6y814


#9

Hi,

The issue is from your http port listen configuration.

In the config file, you do enable IPV6 for https (ssl port)… However, you should set listen to IPV6 on port 80 too…

Since you are using http-01 validation, let’s encrypt validation server connects to port 80 first… and because the IPv6 of your site is not listened in port 80. The site returns error code of 403.

Please enable Nginx to listen to IPV6 for each http (port 80)

Thank you


#10

oh, duh. that was dumb.

I replaced that, the dry-run succeeds now, but the actual renew still fails. I will change to the new renewal method and see if that addresses it.


#11

The return code was 404:

https://acme-staging-v02.api.letsencrypt.org/acme/authz/6wieNoLQLLjvwOp8MnBcTk9DwsPVQXQfKVroLyT3TMo

"Invalid response from http://www.nomorestars.com/.well-known/acme-challenge/2kuDgZyQttXORuaraZjjq9i51UgHp4__t01WqavxGpY: "<html>\r\n<head><title>404 Not Found</title>

addressUsed “2604:a880:400:d1::78b:7001”

So port 80 + ipv6 works.


#12

… That means IPV6 + port 80 is not working… Since it falls into the default page…


#13

so here’s my let’s encrypt log now

https://justpaste.it/5klaa

Dry Run is successful.

Actual run fails with

 The following errors were reported by the server:

   Domain: pod.nomorestars.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   f402dc630cdf283828fcad396ae9cc3d.0cd9a6af809e30500f5f91ad4176769a.acme.invalid
   from [2604:a880:400:d1::78b:7001]:443. Received 2 certificate(s),
   first certificate had names "nomorestars.com, pod.nomorestars.com,
   www.nomorestars.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: www.nomorestars.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   ce42ea5ad1a07c5ee69b4904e5abc9d7.37ebfd4dfede4bca4229c97c32e7d792.acme.invalid
   from [2604:a880:400:d1::78b:7001]:443. Received 2 certificate(s),
   first certificate had names "nomorestars.com, pod.nomorestars.com,
   www.nomorestars.com"

   Domain: pod.nomorestars.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   4316355dbb9224101f79bd40510f0d74.6023a18851c00d6bfa8a3cdd45cf702d.acme.invalid
   from [2604:a880:400:d1::78b:7001]:443. Received 2 certificate(s),
   first certificate had names "nomorestars.com, pod.nomorestars.com,
   www.nomorestars.com"

   Domain: nomorestars.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   16795acb9b91312d2b5673874c9ba2f7.a75ad1ee8132610f7848c44b5f29c6d4.acme.invalid
   from [2604:a880:400:d1::78b:7001]:443. Received 2 certificate(s),
   first certificate had names "nomorestars.com, pod.nomorestars.com,
   www.nomorestars.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I wanted to do it without the tni and try DNS but when i did the --preferred-challenge DNSi get “certbot: error: argument --preferred-challenges: Unrecognized challenges: DNS”

i’m running CentOS 7 and certbot.noarch 0.26.1-2.el7 is my loaded package


#14

You’ll have an easier time with software compatibility if you use --preferred-challenges http.

I think the --preferred-challenges option may be case-sensitive, in which case you would need to specify dns instead of DNS.


#15

doing that solved the error for me. Ta-da.

Thanks to everyone


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.