Error renewing certificate

Please fill out the fields below so we can help you better.

My domain

I ran this command:letsencrypt renew

It produced this output:Domain:
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.

My operating system is (include version):ubuntu 16.04

My web server is (include version):Apache 2.4.18

My hosting provider, if applicable, is:self

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I do have the log from my last attempt but is too big to include apparently.

Here is a link to the log on Dropbox:

This is from my apache error log:

[Wed Mar 08 17:33:52.805200 2017] [ssl:warn] [pid 2078] AH01906: 83097a3fb4a3f888bd1458096b0afbbd.f0bf4d6b7a923bc2d848c62f1a39cd8c.acme.invalid:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Mar 08 17:33:52.806021 2017] [ssl:warn] [pid 2078] AH01906: f5533e02d6230020b30e60a86e501b41.beda2077aa4d53322b0ec0f1f06dd3cd.acme.invalid:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Mar 08 17:33:52.806305 2017] [ssl:warn] [pid 2078] AH01906: 2753db1ffc92961c99651576face3e71.1b86adf539a24f6dd23bdc9a869ef659.acme.invalid:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Mar 08 17:33:52.806556 2017] [ssl:warn] [pid 2078] AH01906: eacbcf6b6be785b7f2baeceb05a2fe4a.7f75e04418c36d910e82bcb91625f713.acme.invalid:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

This is after I created the tls_sni_01_page directory

Can you post the log from /var/log/letsencrypt?

Also, what is in /etc/letsencrypt/renewal/

The log is in the dropbox link above, it is bigger than I am allowed to post here.

the config file is:

cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options and defaults used in the renewal process

no_self_upgrade = False
apache_enmod = a2enmod
no_verify_ssl = False
ifaces = None
apache_dismod = a2dismod
register_unsafely_without_email = False
apache_handle_modules = True
uir = None
installer = apache
config_dir = /etc/letsencrypt
text_mode = False
func = <function run at 0x7fd3f33aec08>
staging = False
dry_run = False
work_dir = /var/lib/letsencrypt
tos = False
init = False
http01_port = 80
duplicate = False
noninteractive_mode = False
key_path = None
nginx = False
fullchain_path = None
email = None
csr = None
agree_dev_preview = None
redirect = None
verb = run
verbose_count = -3
config_file = None
renew_by_default = False
hsts = False
apache_handle_sites = True
authenticator = apache
domains =,,,
rsa_key_size = 2048
apache_challenge_location = /etc/apache2
checkpoints = 1
manual_test_mode = False
apache = True
cert_path = None
webroot_path = ,
reinstall = False
expand = False
strict_permissions = False
apache_server_root = /etc/apache2
account = 779aa0c56f7da62f177da7197bff84f1
prepare = False
manual_public_ip_logging_ok = False
chain_path = None
break_my_certs = False
standalone = False
manual = False
server =
standalone_supported_challenges = "tls-sni-01,http-01"
webroot = False
os_packages_only = False
apache_init_script = None
user_agent = None
apache_ctl = None
apache_le_vhost_ext = -le-ssl.conf
debug = False
tls_sni_01_port = 443
logs_dir = /var/log/letsencrypt
apache_vhost_root = /etc/apache2/sites-available
configurator = None

Any thoughts, @bmw? Seems like a less-familiar TLS-SNI-01 issue with Apache.

Thanks for all the info @cchoc47. It looks like what’s happening is an HTTPS virtual host for another domain is conflicting with the one our Apache plugin setup temporarily to complete the challenge.

Can you paste the full contents of the files containing the HTTPS virtual host(s) for,,, and Feel free to redact values as you feel appropriate.

Here are all my virtual hosts. The port 80 ones were created via webmin, the ssl ones by letsencrypt. I am also using the letsencrypt certificates with my postfix/dovecot mail server.

Im sharing via dropbox since it seems to want to interpret some of the file as html:

Taking those vhosts exactly as is, replacing the domains and cert/key paths, adding them to a default Apache 2.4.18 install on Ubuntu 16.04, enabling them, and running letsencrypt 0.4.1, I’m able to renew my cert :confused:

To be entirely honest, I’m a bit at a loss. You said there no other vhosts on your server correct? Running grep -ir "<VirtualHost" /etc/apache2/ doesn’t come up with any vhost that may have been missed?

I have a workaround for you, but I’d also like to figure out the problem here and created to track the issue. The workaround is to run: letsencrypt renew --webroot -w /var/www.backlight. This will temporarily place files in /var/www.backlight for domain validation and then reload Apache to use the new certificate. You can include --force-renewal on the command line to renew your certificates even if they’re not close to expiration.

grep results:

/etc/apache2/apache2.conf:# If you do not specify an ErrorLog directive within a
/etc/apache2/apache2.conf:# logged here. If you do define an error logfile for a
/etc/apache2/sites-available/000-default.conf.dpkg-dist:<VirtualHost *:80>

The command you suggested worked. Should I modify my cron job to use that command?

Thanks so much.

The only other thing I can think of, other than my mail servers using the certificates, is that the two domains are managed by different DNS, one by Network Solutions and the other by Google domains.

I’m seeing a very mixed collection of different <VirtualHost> sections. Some have a hostname combined with a port, some have just a hostname (but that one isn’t in the “sites-enabled” directory), others have the keyword _default_ combined with a port.

In my experience, this mixing (in this case hostname vs. _default_ isn’t working very well when using the tls-sni-01 challenge.

@bmw: did you correct the hostnames in the <VirtualHost> directives to your situation? I can imagine your local test setup doesn’t work with @cchoc47 s hostnames. Perhaps you’ve modified those which made it work in your situation?

When I initially setup apache it created the default host. I then added the port 80 virtual hosts via webmin and then letsencrypt added the SSL virtual hosts. I don’t recall manually editing any of them but am certainly willing To make changes if necessary.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.