I’ve forwarded my port 443 to 2443 and don’t want to change it. When I try to renew my cert with the command sudo /opt/certbot/certbot-auto renew --agree-tos, I get the error:
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain.tld
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/mydomain.tld.conf produced an unexpected error: Failed authorization procedure. mydomain.tld (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested f1d0b68727da7083578bebdc3df42938.c53eb484043945313deaef887e388413.acme.invalid from MY.SER.VER.IP:443. Received 2 certificate(s), first certificate had names "mydomain.tld". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.tld/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Anyone knows a solution without changing the forwarding?
The easiest route may be to use one of the other challenges. If port 80 is open, use the http-01 challenge or if you have an API where you can easily add a token to your DNS, try the DNS challenge.
Thanks for the info. I only found this command: --standalone-supported-challenges http-01
How do I add it for sudo /opt/certbot/certbot-auto renew --agree-tos?
You would create a new certificate with the http-01 challenge ( so not a renew) In future though, the “renew” will use the http-01 challenge, because that’s what you used to generate the certificate ( if that makes sense ).
