How to resolve the "Correct zName not found for TLS SNI challenge" error when i try renew certificate


#1

i am trying renew my certificate that will expire tomorrow, but i get an error as:

Failed authorization procedure. foo.bar.net.ve (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘foo.bar.net.ve

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: foo.bar.net.ve
   Type:   urn:acme:error:unauthorized
   Detail: Correct zName not found for TLS SNI challenge. Found
   'foo.bar.net.ve'

how i can fix this error and renew my certificate?

3 months ago this certificate was generated without error.

thanks in advance


#2

Does the domain actually exist and corretly route to the right server ?


#3

yes, the domain exist.
what you mean with “the right server” ?
i switch the vps in december, it has influence?


#4

Just so happens that I am hitting this error also after moving domains to (3 ) new vps .
These are mail servers and Im thinking it has something to do with them contacting the webservers for auth.
…ound for TLS SNI challenge. Found ‘*.webhostbox.net, webhostbox.net’ <— I will look into this and let you know what I find.


#5

Yep , My error was cleared when I removed -d hostname.com and left the ( actual ) -d emailserver.hostname.com

My email servers have nothing to so with there web host, therefore email contacts/certs/IP all would be wrong.


#6

I solved this problem by returning to StartSSL.


#7

Congrats, you just threw in the towel there :disappointed:


#8

thanks but i not know what else to do.
and while my web remains without ssl support, i needed migrate to another provider so temporarily.
not sure if the migration of vps had something to do with the error (ip changes, etc), i not get responses in this question.
i keep researching about ssl and my problem with renew.


#9

Well, this specific question has been posted here quite a lot, so my guess is the search function would have given you quite a few threads, including an anwser :slightly_smiling:


#10

While a number of people have had similar issues none, that I could find have the same issue. In particular it found the zName but still failed. All the other posts I have seen say nothing was found.

I am having the exact same issue. I have not found any solution after trying what I could find on both this forum and googling.


#11

Probably your HTTPS-server serves a certificate for another hostname than the one queried… But without the hostname we can’t verify that.


#12

I’ve searched the forum as suggested Osiris, but I have not been successful.
I try to create a self-signed certificate as suggested in other posts but this does not work for me.


#13

Are you happy to provide your domain name ( by private message if needbe) then we can potentially help more.


#14

the domain name is blog.jam.net.ve

whitelisted domains are:
jam.net.ve
blog.jam.net.ve


#15

Thanks. And, just to confirm, you are still getting the same error ( Correct zName not found) if you try on your domains with the current startssl certificates ?


#16

yes, same error with the current startssl certificates, with the old letsencrypt certificates and with the self-signed certificates


#17

I suspect in your case it’s the IPv6 that could be causing the issue … I seem to remember that with someone before (unless my memory going) … looking …


#18

I messaged @serverco the domain but basically the error is the:

Verify error:Correct zName not found for TLS SNI challenge. Found ‘my.domain.name

Where “my.domain.name” is my domain. The SSL certificate has the correct subject and issuer.


#19

Sorry, I’m away today - will try and catch up once back online …


#20

How do you try to solve the challenge? Which client options do you use? I guess your server is serving the default certificate instead of the challenge certificate which must contain something like abc.def.acme.invalid as hostname.