Failed authorization procedure. Received 2 certificate(s), first certificate had names

My domain is: oregional.hu

I ran this command: letsencrypt-auto certonly -d subdomain.oregional.hu

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apachectl in PATH: /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

How would you like to authenticate with the ACME CA?

1: Nginx Web Server plugin - Alpha (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for subdomain.oregional.hu
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. subdomain.oregional.hu (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested id.acme.invalid from myip:443. Received 2 certificate(s), first certificate had names "anothersubdomain.oregional.hu"

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: subdomain.oregional.hu
  Type: unauthorized
  Detail: Incorrect validation certificate for tls-sni-01 challenge.
  Requested
  54f2b5f0249c4fd563215f30d12ff927.3d799a02588bf19342cc1ecc59f55570.acme.invalid
  from :443. Received 2 certificate(s), first
  certificate had names "anothersubdomain.oregional.hu"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): centos 7

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

I'm using Let's Encrypt for a while. Everything goes good, until now. Now I try renew the certificates, and I get the error as described above. Why letsencrypt receives 2 certificates?
The subdomain.oregional.hu and anothersubdomain.oregional.hu are A records, and pointing to the same server. (This machine. Letsencrypt on the same machine as the webserver.)
If I stopping the webserver, and ususing the command with --standalone parameter the renewal is working. So I think it must be some nginx misconfiguration, but what can it be? The nginx config almost the defaults, only the domain configs are included.
If I removing the other hosts I get the same error, just anothersubdomain.oregional.hu = subdomain.oregional.hu

Hi @six

the tls-sni-01 - challenge is deprecated. So use http-01 or dns-01 - challenge instead. Perhaps check, if there is a certbot-update.

Hi @JuergenAuer

Thanks for your reply! I know, it’s deprecated, but i have another server, where it works, so not thats the problem. (The same OS, same nginx version, same certbot version.)

I can’t use dns challenge, because i can’t access to the dns server / dns entries. I could use http challange, but the sites are not in the same machine. So in this case i need to add extra configuration to the hosts, what is not the best solution for me. I would be happy if this solution could work.(As long as could…)

TLS-SNI and HTTP challenges are equivalent in that respect. To put it simply, the only difference is the port number used (443/80). So, you could try certonly with --preferred-challenges http to try it out (assuming your letsencrypt-auto version isn't completely ancient).

With TLS-SNI, the nginx plugin temporarily adds new virtual hosts to your nginx server with those .acme.invalid certificates. For whatever reason, Certbot applies those changes to nginx, but they're not visible when connecting to the domains. There are a bunch of possible causes (nginx isn't the one terminating SSL, it's the wrong server, nginx doesn't reload, etc) but it's hard to know, especially not knowing the domains you're requesting.

And, for what it's worth, standalone is just the HTTP challenge.

@_az, please correct me if i'm wrong, maybe I misunderstood something, my english is not the best.
The tls-sni validates the server, where the DNS record point with a new virtualhost, and http challange validate it with a file in the web root. For example: at example.com it requires a file at example.com/.well-known/.... Whenn the webserver redirect all incomming example.com traffic to another server it wont work without further config inside the example.com virtual host. So they use case are not equivalent.

My letsencrypt-auto version:

./letsencrypt-auto --version
certbot 0.25.1

Hi,

Is the domain (in the error log) not located in this machine? How does tls-sni work if the domain is not pointing to this machine?

Thank you

Hi @stevenzhu !
The domain name points to this machine. It just forwarding the traffic to the internal network.

Ok… if that’s the case, can you confirm that Nginx is the one standing on port 80 & 443? (Also, please do not use Nginx plugin since it will forward the traffic to internal Network… (Nginx plugin means using existing Nginx config…))

Try using standalone or webroot would help (since it doesn’t use existing web config)

Yes, the nginx listening 80 and 443 ports. (I reach the nginx default page, and when I stop it then nothing responds.)
(I don’t understand what you say, why shouldn’t I use nginx plugin?)

For standalone mode I need to stop the nginx, then for this time the sites will be unreachable. This is not acceptable, so I can’t use this solution.
With webroot further configurations nedded in every host config. I can do it, but thats not the ideal solution for me. I will be happy if the tls-sni could work again, as earlier. (It worked, just something changed, and I can’t figure out, what was that?!)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.