Failed authorization procedure: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge

Hi all,

I'm brand new to using Let's Encrypt and finding I'm having quite a few issues with it.

I've worked a fair bit with certificates in the past but I'm buy no means an expert so I'd appreciate any possible advice.

Our company has a server running four different websites and the certificates are about to expire. Three of the domains recently had a new EV certificate installed which is fine. My boss has asked me to us LE for the last one which I'm trying to do.

However I can't get it to work. I'm using the tutorial posted here and when attempting to run "sudo ./letsencrypt-auto", I get an error as below:

Failed authorization procedure. mydomain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested xxxxxxx.acme.invalid from xx.xx.xx.xx:443. Received certificate containing 'mydomain1.com, mydomain2.com, mydomain3.com'

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: mydomain.com
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested dxxxxae7e7c0abfc3
8351ffef.acme.invalid from xx.xx.xx.xx:443. Received certificate
containing 'mydomain1.com, mydomain2.com,
mydomain3.com'

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

Note that mydomain1, mydomain2 and mydomain3 are the three domains currently secured with the existing EV certificate. Presumably these are interfering with the process somehow: does having these domains using another cert mean LE cannot be used on this server?

Thanks in advance for any help.

That's fine, you can still use LE to generate a certificate for the 4th domain.

I'd suggest using a more uptodate tutorial / system. The official client has changed it's name and is now at https://certbot.eff.org/ which should give you the relevant instructions when you choose the appropriate webserver and operating system. ( there are also other alternate clients if you prefer ).

it sounds as if you are trying to run the older letsencrypt client in "standalone" mode - and your current nginx is responding on https with the certificate for your other domains rather than the domain you are trying to get a certificate for.

Hi @serverco. Thanks for the tip. I tried using certbot, and I actually got precisely the same error.

To expand slightly on what serverco said, the “standalone” mode wants to act as a web server itself to perform the authorization step. This is really great if you’re obtaining a certificate for say, a SMTP server, or you haven’t yet got the final web server up and running but not necessarily very convenient if, as in your case, you already have a perfectly nice web server running, serving stuff up to people.

Using a “webroot” mode might be appropriate if your server is set up (or you already know how to configure it) so that it can serve HTTP (not HTTPS) requests for

/.well-known/acme-challenge/someFileChosenByLetsEncryptGoesHere

On the other hand, if you’re comfortable configuring DNS stuff, more than fiddling with the web server, you could look at the DNS authorization mode, but that’s not yet (AFAIK) supported by the “official” certbot client.

In the end there were two things. Firstly I slightly altered the command I was running to:

./letsencrypt-auto certonly --agree-tos -a webroot --webroot-path=/srv/letsencrypt -d mydomain.com

But more critically I had to enter some config into my nginx configuration. I had done this in Apache but not nginx.

server {
listen 80;
server_name mydomain.com;
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /srv/letsencrypt;
}
location / {
return 301 https://$server_name$request_uri;
}
}

And voila! Turns out Let's Encrypt works like a charm once you do everything right!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.