I am trying to renew a certificate on FreeBSD using the “certbot renew” command but keep getting a failure message:
Attempting to renew cert (mydomain.com) from /usr/local/etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Failed authorization procedure. mydomain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 29d4afe2f4ed2fdf41bd562e598c8a85.394244efae48d167579b84f409342ea1.acme.invalid from publicIP:443. Received 1 certificate(s), first certificate had names “mydomain.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
Any idea why it is failing? I saw another thread that said to remove AAAA records but my domain does not have that configured.
This error relates to the TLS-SNI-01 authorization method and to Certbot’s inability to successfully modify your web server configuration in a way that would satisfy the certificate authority as seen from the outside world.
There are many different reasons that this could happen (I once made a list of 10 or 12 of them when this error was more common), but more significantly, the TLS-SNI-01 method is being deprecated and removed and so trying to fix this now won’t provide any long-term benefits.
Could you try the renewal command with the addition of --preferred-challenges http? While this might not cause the renewal to succeed immediately, any error that occurs then is one that it would be productive to fix for the future.
Thanks for the quick reply. Does that mean my version of certbot is really old and needs to be updated?
I will run that command in an hour (I’m getting "… :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: " message) and let you know.
Edit: oops just saw you said you made a list of 10 or 12 reasons why it could happen, I will go look for that
It might also need to be updated, but only the most recent release from just two weeks ago wouldn't default to TLS-SNI-01. So the --preferred-challenges http is probably going to be necessary.
