I am trying to renew a certificate on FreeBSD using the “certbot renew” command but keep getting a failure message:
Attempting to renew cert (mydomain.com) from /usr/local/etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Failed authorization procedure. mydomain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 29d4afe2f4ed2fdf41bd562e598c8a85.394244efae48d167579b84f409342ea1.acme.invalid from publicIP:443. Received 1 certificate(s), first certificate had names “mydomain.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
Any idea why it is failing? I saw another thread that said to remove AAAA records but my domain does not have that configured.
This error relates to the TLS-SNI-01 authorization method and to Certbot’s inability to successfully modify your web server configuration in a way that would satisfy the certificate authority as seen from the outside world.
There are many different reasons that this could happen (I once made a list of 10 or 12 of them when this error was more common), but more significantly, the TLS-SNI-01 method is being deprecated and removed and so trying to fix this now won’t provide any long-term benefits.
Could you try the renewal command with the addition of --preferred-challenges http? While this might not cause the renewal to succeed immediately, any error that occurs then is one that it would be productive to fix for the future.