How to resolve the "Correct zName not found for TLS SNI challenge" error when i try renew certificate

carloscaverobarca · May 5, 2016, 6:01pm

I suppose all of you already checked this. The same error raised to me during the renewal process. I redirected the traffic from 443 to 8443 (with iptables). The solution was to remove the entry from iptables and stop the tomcat, then executing the renewal process worked like a charm. The script looks like this.

/etc/init.d/tomcat7 stop
iptables -t nat -D PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

$letsencryptdir/letsencrypt-auto renew --standalone --standalone-supported-challenges tls-sni-01 --renew-by-default --email <my_email> --verbose --text --agree-tos

iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
/etc/init.d/tomcat7 start

thouliha · May 12, 2016, 6:36pm

I’m getting this exact same error, when trying to renew my standalone cert. The DNS A record is correct…

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2016-05-12 14:34:20,851:INFO:letsencrypt.auth_handler:Cleaning up challenges
Failed authorization procedure. referendum.ml (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found 'www.referendum.ml, referendum.ml', www.referendum.ml (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found 'www.referendum.ml, referendum.ml'

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: referendum.ml
   Type:   unauthorized
   Detail: Correct zName not found for TLS SNI challenge. Found
   'www.referendum.ml, referendum.ml'

   Domain: www.referendum.ml
   Type:   unauthorized
   Detail: Correct zName not found for TLS SNI challenge. Found
   'www.referendum.ml, referendum.ml'

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

fathomssen · May 18, 2016, 7:33am

Hi

I resolved this issue by disabling IPv6 on my Ubuntu 14.04 machine for Apache 2.4 as my server does not have a real IPv6 address.

To accomplish this, I explicitly set the IP address in /etc/apache2/ports.conf
Listen <IP>:80 Listen <IP>:443

and in all vhosts:
<VirtualHost <IP>:80>

instead of
<VirtualHost *:80>

After these changes, netstat -lnp | egrep ":443|:80" shows tcp in the first column instead of tcp6.

Then, the cerbot renew worked like a charm.

Best regards
Frederick Thomssen

motusbob · May 18, 2016, 3:18pm

Fathomssen solution is what solved the issue for me using Apache2 with Debian. I didn’t have IPv6 enabled, but still ran into the issue when trying to renew my cert because my IP were not defined properly. One was using the loopback and the other *.

Switched the config to use the actual IP and everything worked perfectly

Thank you!