Failed to renew certificate on OSX running apache homebrew


#1

I get the following when I try and renew a certificate using
sudo cerbot renew --dry-run

I get the following exception and also apache crashes any help welcome :slight_smile:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/jamalade.duckdns.org.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for jamalade.duckdns.org
No vhost exists with servername or alias of: jamalade.duckdns.org (or it’s in a file with multiple vhosts, which Certbot can’t parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
Falling back to default vhost *:443…
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/jamalade.duckdns.org.conf produced an unexpected error: Failed authorization procedure. jamalade.duckdns.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 1c44043bc1893a0c93193cf4a0a63a15.376346324440dcc2883226a472976eb6.acme.invalid from 86.6.118.75:443. Received 2 certificate(s), first certificate had names “jamalade.duckdns.org”. Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jamalade.duckdns.org/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: jamalade.duckdns.org
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    1c44043bc1893a0c93193cf4a0a63a15.376346324440dcc2883226a472976eb6.acme.invalid
    from 86.6.118.75:443. Received 2 certificate(s), first certificate
    had names “jamalade.duckdns.org

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.
    Nicks-MacBook-Pro:~ nickpoaros$ sudo apachectl -k start
    Password:
    Nicks-MacBook-Pro:~ nickpoaros$ sudo apachectl -k start


#2

Has your vhost file changes since you obtained the certificate ?

You may be better obtaining a new cert using the “webroot” option which will mean it can then renew more easily without needing the vhost configuration.


#3

Thanks for your advice - I re-run with webroot and -certonly only which seems to work except that in the browsers the old expiry is showing also when I run certbot certificates i get the following error for cert.perm
OCSP check failed for /etc/letsencrypt/live/jamalade.duckdns.org/cert.pem (are we offline?

the full chain and privacy look fine.

I am a bit confused


#4

If you refresh in your browser are you still getting an old certificate ? from a quick check I get

$ certinfo jamalade.duckdns.org 
getting cert from server - jamalade.duckdns.org

Certificate chain
 0 s:/CN=jamalade.duckdns.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Certificate:
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Not Before: Feb 14 19:51:00 2017 GMT
Not After : May 15 19:51:00 2017 GMT
Subject: CN=jamalade.duckdns.org
Public Key Algorithm: rsaEncryption
DNS:jamalade.duckdns.org, DNS:www.jamalade.duckdns.org

#5

Hi yes I was in the end i needed to reboot the machine and then all fine. not quite sure why starting stopping apache didn’t do the trick but hey ho.

thanks for the help all running sweet now.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.