Failed authorization procedure


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 3dpc.app

I ran this command: sudo /usr/bin/certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/3dpc.app.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for 3dpc.app
tls-sni-01 challenge for stage.3dpc.app
tls-sni-01 challenge for www.3dpc.app
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (3dpc.app) from /etc/letsencrypt/renewal/3dpc.app.conf produced an unexpected error: Failed authorization procedure. www.3dpc.app (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested d651e693c66a863e47322fd45e0d88dd.501607e77fce68b5bd040d57d109c736.acme.invalid from 45.33.57.232:443. Received 2 certificate(s), first certificate had names “3dpc.app, stage.3dpc.app, www.3dpc.app”, 3dpc.app (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b12f5d8e01e7b50f81ae4f4a0296653a.cf054f26dcfe0869586ccc772958d6dc.acme.invalid from 45.33.57.232:443. Received 2 certificate(s), first certificate had names “3dpc.app, stage.3dpc.app, www.3dpc.app”, stage.3dpc.app (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 72686f409d31aebba17e4bc8ed493b37.b3843ada16fe2b61347e2f459dfbda34.acme.invalid from 45.33.57.232:443. Received 2 certificate(s), first certificate had names “3dpc.app, stage.3dpc.app, www.3dpc.app”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/3dpc.app/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/3dpc.app/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.3dpc.app
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    d651e693c66a863e47322fd45e0d88dd.501607e77fce68b5bd040d57d109c736.acme.invalid
    from 45.33.57.232:443. Received 2 certificate(s), first certificate
    had names “3dpc.app, stage.3dpc.app, www.3dpc.app”

    Domain: 3dpc.app
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    b12f5d8e01e7b50f81ae4f4a0296653a.cf054f26dcfe0869586ccc772958d6dc.acme.invalid
    from 45.33.57.232:443. Received 2 certificate(s), first certificate
    had names “3dpc.app, stage.3dpc.app, www.3dpc.app”

    Domain: stage.3dpc.app
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    72686f409d31aebba17e4bc8ed493b37.b3843ada16fe2b61347e2f459dfbda34.acme.invalid
    from 45.33.57.232:443. Received 2 certificate(s), first certificate
    had names “3dpc.app, stage.3dpc.app, www.3dpc.app”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): nginx

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: virtual server on Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

So, I think this might have to do with my nginx setup and I’m willing to share my config file a needed. Any help is greatly appreciated!!! I’ve read a number of the links around “Failed authorization procedure” and nothing has worked so far.


#2

Hi,

There is something wrong with the TLS-SNI-01 validation, which was disabled for new issuerance

(And have some issue with existing renewals…)

Here’s a easy resolution:

please try run certbot renew with the following argument --preferred-challenge http

sudo /use/bin/certbot renew --preferred-challenge http it’s only needed to use one time. So all future renewals (and cronjobs) would use the usual command. certbot renew

Thank you


#3

@stevenzhu I do my happy dance. That worked. Many thanks.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.