How to resolve the "Correct zName not found for TLS SNI challenge" error when i try renew certificate

shinsuke · March 16, 2016, 3:14am

I’ve got the same error message and couldn’t solve it yesterday. But finally I’ve renewed my certificate:)

Error message:

$ docker run -it --rm -p 1086:80 -p 1087:443 --name letsencrypt -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" quay.io/letsencrypt/letsencrypt:latest renew
Processing /etc/letsencrypt/renewal/drem.jp.conf
2016-03-15 02:57:20,087:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/drem.jp.conf produced an unexpected error: Failed authorization procedure. drem.jp (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization
 :: Correct zName not found for TLS SNI challenge. Found 'drem.jp'. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/drem.jp/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: drem.jp
   Type:   unauthorized
   Detail: Correct zName not found for TLS SNI challenge. Found
   'drem.jp'

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

I think that this message was a misleading in my case.

Solution: Using webroot

nginx.conf:

  server {
    listen 80;
    server_name drem.jp;

    # letsencrypt
    location /.well-known/acme-challenge {
      root /tmp/letsencrypt;
    }

    location / {
      return 301 https://$server_name$request_uri;
    }
  }

I didn’t change DNS and other network settings. Then I executed the following command on the same host.

$ docker run -it --rm --name letsencrypt -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" -v "/tmp/letsencrypt:/tmp/letsencrypt" quay.io/letsencrypt/letsencrypt:latest certonly
 -a webroot --webroot-path=/tmp/letsencrypt -d drem.jp

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/drem.jp/fullchain.pem. Your cert will expire
   on 2016-06-14. To obtain a new version of the certificate in the
   future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I didn’t know the cause, but I’ve solve it by using webroot. I hope my case will help others.