I came here 3 months ago when I had issues renewing my cert. After hours of trouble shooting, I figured out what i needed to do to renew my cert. These commands worked:
Now when I attempt to follow the first section, I recieve this error and I have no clue how to get past it and I can no longer access my domain.
Failed authorization procedure. mydomain.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested f9573507d3129eee3919809c9428c328.2ad119f2b373ff8e2e22fc823ba87be6.acme.invalid from MYIP. Received 2 certificate(s), first certificate had names "mydomain.org"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: mydomain.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
f9573507d3129eee3919809c9428c328.2ad119f2b373ff8e2e22fc823ba87be6.acme.invalid
from MYIP. Received 2 certificate(s), first certificate
had names "mydomain.org"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
I’m not even sure where to look. I’m not very versed in this. I followed a video to get this far back in january and cobbled my way to the second cert renewal.
Does anyone know how I can fix this issue? Also, is there a way to get auto-renew to actually work?
--standalone means that you don't have another web server running. It looks like that's not the case for your system. However, it also seems like your --preferred-challenges option was ignored because the challenge was tried with TLS-SNI-01 instead of HTTP-01!
In general, you should not specify options to renew because renew would otherwise remember what worked before and then do that. By contrast, if you specify things like --standalone, as arguments with renew, you might be changing the renewal method compared to the original issuance method.
What would happen if you just ran ./letsencrypt-auto renew? (optionally with --no-self-upgrade if it's important to you that Certbot not upgrade itself)
You can use ZeroSSL to generate a certificate manually to download, but as long as you’re not running up against rate limits, I’d recommend keeping that cert separate from Certbot’s files so that the certificate lineage doesn’t get confused when you fix automated renewal.
I tried the ./letsencrypt-auto renew and I received roughly the same error:
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/MyDomain/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: MyDomain
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
7672bd3a474694f57ef70c9fb64160ba.319859c00a6d22fd6eb9c997468d07a8.acme.invalid
from MyIP. Received 2 certificate(s), first certificate
had names "MyDomain"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
In order to renew, there needs to be some authenticator.
The problem right now with standalone is that it needs to receive a connection on port 443, but your regular web server is now using that port. That’s the reason for the “Incorrect validation certificate” error that you see.
Are you using port 80? It would be possible to move the standalone authenticator over to port 443.
If you let port 443 come through to port 443 on your system, the standalone renewal might work as-is, but you’d also have to make that change every time you want to renew.
So port forwarding was the issue. I forwarded port 443 to 443 and the single renewal worked. I tried running the auto renew and it failed. I’m sure my parameters are incorrect. Is there anyway to get around this manual process of switching the port forwards? Is it possible to change the port for the renew process only, say to port 9000?
If you take a look at the documentation that I linked to, this method requires port 443 (you can’t choose a different port), while there’s another method that requires port 80 (you can’t choose another port). If you can update DNS records from software, there’s a third method available that would use that as the basis for proving your control over the domain name.