I cannot renew the certficate for one of my apache2 virtual hosts, because letsencrypt (obviously) does not use the certificate retrieved when using tls-sni-01. Here’s what I get:
- The following errors were reported by the server: Domain: ks.eit.h-da.de Type: unauthorized Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested d976adad886868faf3e975a2c206d029.88bbaeb709da69d0294919b6 ffd5c2d6.acme.invalid from 126.96.36.199:443. Received 2 certificate(s), first certificate had names "cypht.eit.h-da.de"
Now, when I look at ssllabs’ analyses, I find that the certificate for
cypht.eit.h-da.de is indeed returned, but only when not using SNI: “only very old clients get this certificate”. Why does letsencrypt behave like a very old client, i.e. use the certificate returned when not using SNI?
(Note: ssllabs shows the certificate for “cypht.eit.h-da.de” also when testing my other virtual hosts, but I never had renewal problems with those.)