I'm done, here it ends... nginx debian stretch and letsencrypt crashes


My domain is: www.e-d-i-t.nl, www.roda71.nl, wms-zimbra.e-d-i-t.nl and a lot more…

I ran this command: certbot automatic renew process

It produced this output: all kind of different errors, eventually killing nginx, so rev proxy is offline and every site unreachable.

My web server is (include version): nginx in rev proxy

The operating system my web server runs on is (include version): Debian 9

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.10.2

Okay, that being said,…
I am getting al kind of errors when trying to renew certs. Eventually I disabled pre- and post-hook commands restarting nginx, cause in the end nginx cannot bind anymore putting the rev-proxy offline.

Some work, some don’t…

certbot renew --cert-name www.e-d-i-t.nl -a nginx --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.e-d-i-t.nl.conf

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.e-d-i-t.nl
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0058_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0058_csr-certbot.pem

new certificate deployed with reload of nginx server; fullchain is

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.e-d-i-t.nl/fullchain.pem (success)

certbot renew --cert-name wms-zimbra.e-d-i-t.nl -a nginx --force-renewal

Attempting to renew cert from /etc/letsencrypt/renewal/wms-zimbra.e-d-i-t.nl.conf produced an unexpected error: Failed authorization procedure. wms-zimbra.e-d-i-t.nl (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 247d3f23b4054c09a493b50052302d86.880550cec6e9d054c943d7a3e1ba4a72.acme.invalid from Received 2 certificate(s), first certificate had names “dav.e-d-i-t.nl”. Skipping.

I had the authenticator in the config changed from standalone to nginx, but it makes no difference at the moment.

I’m out, have no clue what to do.

Kill current rev-proxy server running nginx and debian and just install ubuntu 16.04 instead with apache2? Seems to be less errors when Googling…


Hi @e-d-i-t

tls-sni-01 validation is deprecated, support ends in the next days. So you have to switch to another validation method.

Your certbot is very old. Perhaps update.

http-01 validation requires an open port 80 to validate a domain. Or you use dns-01 validation or tls-alpn-01. acme.sh supports that (certbot doesn’t).

1 Like

Thanks, I will first digg into acme.sh and otherwise switch to Ubuntu or something supporting a higher version of the certbot.


Backports repo for Stretch contains a sufficiently up to date Certbot version to use http-01 with Nginx.


Okay, I am not that good in linux so where to go?
It seems I have downloaded certbot installer from the website cause in my sources.list there is nothing for backports listed. So an apt-get update/upgrade will not fix it.

Do I need to get the latest version from the website and just install it on top of the old one?


Oh, I forgot, we finished the process to push Certbot 0.28.0 on stable repos!

If you installed certbot from the OS packages, a simple apt-get update && apt-get upgrade certbot should do the trick. Try that first.

What is the result of this command: command -v certbot? It will help to understand from which installation source you installed certbot.

1 Like

It states: /usr/bin/certbot.
I can update with apt-get update && apt-get upgrade certbot
But I hope it does it in place, so configs remain working.
Ah well. snapshot VM and find out…


Check, working again!
After updating, run the commands to update and those which stalled are updated again.
Thanks for preventing the headache!

closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.