Errors on renewing using apache plugin. Need to move from TLS-SNI-01?

I’m managing 100+ site network. At first I was putting several domains on 1 certificate, but then later that’s a problem is one goes away. So l’ve been using a single cert per domain, but when I go to renew this one I’m getting this error. Any thoughts on fixing this?

sudo certbot --apache -d surgicalcenterofsandiego.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for surgicalcenterofsandiego.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. surgicalcenterofsandiego.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 827ef8746ad1b145cd9d000cc32bb38a.e90fc0bdd632fd98c1556340feed8c45.acme.invalid from 207.223.115.39:443. Received 2 certificate(s), first certificate had names "aksurgery.com, alaskaspinecenter.com, alliancelakemary.com, amsurgsurgerycenter.com, antelopevalleysurgerycenter.com, apogeesurgery.com, arcadiasurgerycenter.com, barrancasurgerycenter.com, bellevillesurgical.com"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: surgicalcenterofsandiego.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   827ef8746ad1b145cd9d000cc32bb38a.e90fc0bdd632fd98c1556340feed8c45.acme.invalid
   from 207.223.115.39:443. Received 2 certificate(s), first
   certificate had names "aksurgery.com, alaskaspinecenter.com,
   alliancelakemary.com, amsurgsurgerycenter.com,
   antelopevalleysurgerycenter.com, apogeesurgery.com,
   arcadiasurgerycenter.com, barrancasurgerycenter.com,
   bellevillesurgical.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I would also like to move away from TLS-SNI-01 can I specify when using the apache plugin?

Thanks,
Dave

Hi @Kaplan

tls-sni-01 - validation is deprecated, support ends 2019-02-13.

So use http - validation:

sudo certbot --apache -d surgicalcenterofsandiego.com -preferred-challenges http

Your configuration

looks ok. Port 80 is open, there is a redirect http -> https, but Letsencrypt ignores the expired certificate.

So the http status 404 / not found is good.

Thanks! That works for most of the domains I’m trying to renew, but I still have a couple giving errors.

sudo certbot --apache -d texashealthsurgerycenterbedford.com --preferred-challenges http
	Saving debug log to /var/log/letsencrypt/letsencrypt.log
	Plugins selected: Authenticator apache, Installer apache
	Obtaining a new certificate
	Performing the following challenges:
	http-01 challenge for texashealthsurgerycenterbedford.com
	Waiting for verification...
	Cleaning up challenges
	Failed authorization procedure. texashealthsurgerycenterbedford.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://texashealthsurgerycenterbedford.com/.well-known/acme-challenge/V3DHa2RXeGxlGPIc2zAoyqnqX3kGHVQPRP2VagFX6sw: "<!DOCTYPE html>\n<html lang=\"en-US\" prefix=\"og: http://ogp.me/ns#\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" c"

	IMPORTANT NOTES:
	 - The following errors were reported by the server:

	   Domain: texashealthsurgerycenterbedford.com
	   Type:   unauthorized
	   Detail: Invalid response from
	   http://texashealthsurgerycenterbedford.com/.well-known/acme-challenge/V3DHa2RXeGxlGPIc2zAoyqnqX3kGHVQPRP2VagFX6sw:
	   "<!DOCTYPE html>\n<html lang=\"en-US\" prefix=\"og:
	   http://ogp.me/ns#\">\n<head>\n    <meta charset=\"UTF-8\">\n
	   <meta name=\"viewport\" c"

	   To fix these errors, please make sure that your domain name was
	   entered correctly and the DNS A/AAAA record(s) for that domain
	   contain(s) the right IP address.

To fix the 2 domains that I couldn’t update, I did an a2dissite on the -le-ssl.conf and then removed that file, reloaded apache and started again with the original command. Seems to be working now.

Thanks!

Checked this domain ( https://check-your-website.server-daten.de/?q=texashealthsurgerycenterbedford.com ) something looks wrong:

The non-www has a correct certificate.

But the www has the following certificate:

CN=aksurgery.com
	19.12.2018
	19.03.2019
	aksurgery.com, alaskaspinecenter.com, alliancelakemary.com, 
amsurgsurgerycenter.com, antelopevalleysurgerycenter.com, 
apogeesurgery.com, arcadiasurgerycenter.com, 
barrancasurgerycenter.com, bellevillesurgical.com - 9 entries

So it looks that the wrong vHost answers.

So check your ServerAlias - entries of the vHosts which uses this certificate.

Thanks for your help on this. If I create a certifcate for a www.texashealthsurgerycenterbedford.com will that fix this issue? I see the aksurgery.com certificate error when I visit https://www.texashealthsurgerycenterbedford.com/

I think I made a mistake when I started creating the certificates for several sites on a single domain within the network. I’m trying to undo that as I renew.

I’m noticing today that a few of the sites I updated certificates on are sometimes not working, for example if I go to https://texashealthsurgerycenterparkhill.com/ get a “Your connection is not private” error but refresh, then the page loads.

Thanks again,
Dave

Sorry, just thought of a question to add to the last post. What is the best way to add a www. to the list of DNS names?

Thanks again,
Dave

Hi,

When I try and make a vHost and create a certificate for the www specifically I get an error.

sudo certbot --apache -d www.texashealthsurgerycenterbedford.com --preferred-challenges http

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for www.texashealthsurgerycenterbedford.com

Waiting for verification...

Cleaning up challenges

Failed authorization procedure. www.texashealthsurgerycenterbedford.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.texashealthsurgerycenterbedford.com/.well-known/acme-challenge/JYaXJAcgBBavkAmuEJimhMcqU8TjP3LplXhpxV_1yME: "<!DOCTYPE html>\n<html lang=\"en-US\" prefix=\"og: http://ogp.me/ns#\">\n<head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" c"

IMPORTANT NOTES:

 - The following errors were reported by the server:

Domain: www.texashealthsurgerycenterbedford.com

Type: unauthorized

Detail: Invalid response from

http://www.texashealthsurgerycenterbedford.com/.well-known/acme-challenge/JYaXJAcgBBavkAmuEJimhMcqU8TjP3LplXhpxV_1yME:

"<!DOCTYPE html>\n<html lang=\"en-US\" prefix=\"og:

http://ogp.me/ns#\">\n<head>\n <meta charset=\"UTF-8\">\n<meta name=\"viewport\" c"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

May be a cache problem, now it looks ok. But I didn’t recheck the site.

The normal -d parameter, perhaps the certificate name to overwrite.

Why that?

You have a running vHost under

texashealthsurgerycenterbedford.com

so find the vHost with this domain name and add a ServerAlias

ServerAlias www.texashealthsurgerycenterbedford.com

Then this vHost manages both domain names. Then create one certificate with two domain names.

Normally it’s not a good idea to split non-www and www of the same domain into different vHosts.

Thanks @JuergenAuer this is very helpful.

I’ve been taking that approach, using ServerAlias on the new site’s configs I’ve been adding to the network. I tried out both www and * for ServerAlias.

I think this all started when I was asked by my client / project manager to fix errors on links that have https://www. I’ve been trying to redirect to the domain associated with the ServerName.

I’m going to work on modifying these 2 sites and see if I can work it out.

Thanks again!