I suppose all of you already checked this. The same error raised to me during the renewal process. I redirected the traffic from 443 to 8443 (with iptables). The solution was to remove the entry from iptables and stop the tomcat, then executing the renewal process worked like a charm. The script looks like this.
/etc/init.d/tomcat7 stop
iptables -t nat -D PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
$letsencryptdir/letsencrypt-auto renew --standalone --standalone-supported-challenges tls-sni-01 --renew-by-default --email <my_email> --verbose --text --agree-tos
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
/etc/init.d/tomcat7 start
Iām getting this exact same error, when trying to renew my standalone cert. The DNS A record is correctā¦
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2016-05-12 14:34:20,851:INFO:letsencrypt.auth_handler:Cleaning up challenges
Failed authorization procedure. referendum.ml (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found 'www.referendum.ml, referendum.ml', www.referendum.ml (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found 'www.referendum.ml, referendum.ml'
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: referendum.ml
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
'www.referendum.ml, referendum.ml'
Domain: www.referendum.ml
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
'www.referendum.ml, referendum.ml'
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
Hi
I resolved this issue by disabling IPv6 on my Ubuntu 14.04 machine for Apache 2.4 as my server does not have a real IPv6 address.
To accomplish this, I explicitly set the IP address in /etc/apache2/ports.conf
Listen <IP>:80 Listen <IP>:443
and in all vhosts:
<VirtualHost <IP>:80>
instead of
<VirtualHost *:80>
After these changes, netstat -lnp | egrep ":443|:80"
shows tcp
in the first column instead of tcp6
.
Then, the cerbot renew
worked like a charm.
Best regards
Frederick Thomssen
1 Like
Fathomssen solution is what solved the issue for me using Apache2 with Debian. I didnāt have IPv6 enabled, but still ran into the issue when trying to renew my cert because my IP were not defined properly. One was using the loopback and the other *.
Switched the config to use the actual IP and everything worked perfectly
Thank you!
1 Like