I used to renew my domains with no issues. I am renewing them early because I won’t be in to do the renew at the date. I tried with all the possible commands without success. It all (time out) on the acme challenge. At the same time I could access the code at the server’s address from the web without any issues. I am running my own client server on Apache/BIND/Mac OS X. Letsencrypt CA is valid until August 6, 2017. OBs: I had to trimm the logs because the body post have a restriction in the number of characters to post.
Relevant information:
OS = Mac OS X Mavericks
Apache = Bitnami Apache 2.4.xx (Not the original OS X Apache Conf or path)
Server is accessible thru the domain.
ACME challenge is also accessible thru the web address.
Here are the (terminal logs) and bellow the (/var/log/letsencrypt/letsencrypt.log)
— Mac OS X terminal logs start —
[server:~] root# cd /Users/user02/letsencrypt
[server:~/letsencrypt] root# ./letsencrypt-auto certonly -a manual --rsa-key-size 4096 -d domain.org -d www.domain.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/domain.org.conf)
What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
[server:~/letsencrypt] root#
— Mac OS X terminal logs ends —
I did researched other similar topics but the answers were for a particular issue.
The Apache virtual hosts is configured as follows:
<VirtualHost *:443>
DocumentRoot "/Users/user2/Sites"
ServerName domain.org
ServerAlias www.domain.org
ServerAdmin webmaster@domain.org
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/domain.org/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/domain.org/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/domain.org/chain.pem"
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
# Always ensure Cookies have "Secure" set (JAH 2012/1)
Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
ErrorLog "/usr/local/apps/apache2/logs/error_log"
TransferLog "/usr/local/apps/apache2/logs/access_log"
CustomLog /usr/local/apps/apache2/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Sounds like a DNS issue. Are you absolutely sure that the DNS is correctly configured? I have to ask, because I had a very similar sounding problem, and it turned out to be because someone had added an incorrect IPv6 entry for the domain I was trying to renew. You might find dig domain.org, dig aaaa domain.org, dig www.domain.org and dig aaaa www.domain.org useful.
if I use certbot to renew the domains, this is what I get;
[server:~] root# sudo certbot --apache certonly -d domain.org -d www.domain.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/domain.org.conf)
What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for domain.org
tls-sni-01 challenge for www.domain.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. domain.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 706097348ac72ff6ed29eabb08be0652.d898b760ab70f8840a70403f1d5b153f.acme.invalid from 10x.xxx.xxx.xx:443. Received 2 certificate(s), first certificate had names “domain.org, www.domain.org”, www.domain.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested be74dc262acb71cec836e512982946bf.63fd8c4f165b462eed9995b74243f63d.acme.invalid from 10x.xxx.xxx.xx:443. Received 2 certificate(s), first certificate had names “domain.org, www.domain.org”
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: domain.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
706097348ac72ff6ed29eabb08be0652.d898b760ab70f8840a70403f1d5b153f.acme.invalid
from 10x.xxx.xxx.xx:443. Received 2 certificate(s), first
certificate had names “domain.org, www.domain.org”
Domain: www.domain.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
be74dc262acb71cec836e512982946bf.63fd8c4f165b462eed9995b74243f63d.acme.invalid
from 10x.xxx.xxx.xx:443. Received 2 certificate(s), first
certificate had names “domain.org, www.domain.org”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
I did not wanted to put the real address out but through this point I have no choice since none of the LE/Certbot or even the recent installed Certbot Homebrew thru commands are working as it should. Let us remind ourselves that Letsencrypt worked before without any hard issues.
The Server is http://domain.org or www.domain.org
DNS is responding fine without any errors!
The Server is hosting multiple domains names in an single ip address.
You can also check if acme is reachable thru the internet. I check both servers and acme with Tor and they are reachable without a problem.
Both of the test sites that you used are testing whether you can browse the web with IPv6 connectivity, not whether a particular server has IPv6 connectivity. By running curl -6 http://bonsi.org/ on a machine with IPv6 connectivity, I can see that bonsi.org itself does not its have IPv6 connectivity working properly. (Testing in a browser is not quite a strict enough test because the browser is usually willing to fall back to IPv4 if an IPv6 connection fails, which our CA is not willing to do.)
A tester you could use that will confirm the problem is
You have to put in the domain name. You’ll see that the AAAA DNS record is provided but that connections to your server fail over IPv6.
This is probably why your renewal stopped working; some weeks ago, the Let’s Encrypt CA was updated to prefer IPv6 over IPv4 for domain control checks, while before that, the behavior was the opposite.
