Failed Authorization - Received 2 cerficate(s)


#1

My domain is: hue.merkoba.com

I ran this command: certbot

It produced this output:

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):10
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for hue.merkoba.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. hue.merkoba.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 26c3d491b6c4c17bbb7897a2039e941f.52bcc9cbbe827b802f2f539c49dd2a3a.acme.invalid from 138.68.25.106:443. Received 2 certificate(s), first certificate had names “hue.merkoba.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: hue.merkoba.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    26c3d491b6c4c17bbb7897a2039e941f.52bcc9cbbe827b802f2f539c49dd2a3a.acme.invalid
    from 138.68.25.106:443. Received 2 certificate(s), first
    certificate had names “hue.merkoba.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Apache 2.4.25

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Other notes:

I have a hue.conf:

Redirect permanent / https://hue.merkoba.com

And another declaration in ssl.conf:

NameVirtualHost *:443

<VirtualHost *:443>
ServerName hue.merkoba.com

ProxyPreserveHost On

RequestHeader set “X-Forwarded-Proto” expr=%{REQUEST_SCHEME}
RequestHeader set “X-Forwarded-SSL” expr=%{HTTPS}

Alias “/static/” “/home/node/hue/public/static/”

<Directory /home/node/hue/public>

Options FollowSymLinks
AllowOverride None
Require all granted

ExpiresActive On
ExpiresByType image/jpeg "access plus 11 months"
ExpiresByType image/jpg "access plus 11 months"
ExpiresByType image/png "access plus 11 months"
ExpiresByType image/gif "access plus 11 months"

RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:3210/1 [P,L] RewriteCond %{HTTP:Upgrade} !=websocket [NC] RewriteRule ^/(?!static/)(.*) http://localhost:3210/$1 [P,L]

SSLCertificateFile /etc/letsencrypt/live/hue.merkoba.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hue.merkoba.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf


#2

Ok I fixed it. The problem was some other domain related active virtual host conf file. I just had to disable it and run certbot again.


#3

Hi @madprops

the tls-sni-01 - challenge is deprecated.

February next year the support ends. See

So check if you can switch to another validation method.