Failure To Renew Certificate


#1

I am trying to renew a certificate on FreeBSD using the “certbot renew” command but keep getting a failure message:

Attempting to renew cert (mydomain.com) from /usr/local/etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Failed authorization procedure. mydomain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 29d4afe2f4ed2fdf41bd562e598c8a85.394244efae48d167579b84f409342ea1.acme.invalid from publicIP:443. Received 1 certificate(s), first certificate had names “mydomain.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

Any idea why it is failing? I saw another thread that said to remove AAAA records but my domain does not have that configured.


#2

Hi @jjrabbit,

This error relates to the TLS-SNI-01 authorization method and to Certbot’s inability to successfully modify your web server configuration in a way that would satisfy the certificate authority as seen from the outside world.

There are many different reasons that this could happen (I once made a list of 10 or 12 of them when this error was more common), but more significantly, the TLS-SNI-01 method is being deprecated and removed and so trying to fix this now won’t provide any long-term benefits.

Could you try the renewal command with the addition of --preferred-challenges http? While this might not cause the renewal to succeed immediately, any error that occurs then is one that it would be productive to fix for the future. :slight_smile:


#3

Hi @schoen,

Thanks for the quick reply. Does that mean my version of certbot is really old and needs to be updated?

I will run that command in an hour (I’m getting "… :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: " message) and let you know.

Edit: oops just saw you said you made a list of 10 or 12 reasons why it could happen, I will go look for that :slight_smile:


#4

It might also need to be updated, but only the most recent release from just two weeks ago wouldn’t default to TLS-SNI-01. So the --preferred-challenges http is probably going to be necessary.


#5

That’s the failed validations per hour rate limit - you should be able to try again soon.


#6

Working now. Thanks @schoen!