Incorrect validation certificate. Apache 2.2

What it says on the tin. Run the below command, get the error message that follows. DNS is configured correctly. This server is Centos 6.9 with Apache 2.2.15.

I have another server that worked without a hitch using an almost identical config (unipuma instead of annapuma). That server is Ubuntu Server 14.04.5 with Apache 2.4.7. Obviously, there are minor config differences due to Apache 2.4 vs 2.2.

Both are VPS on seperate machines in different parts of the US.

Command and output:

wolferz@annapuma ~ $ sudo ./certbot-auto --apache
[sudo] password for wolferz:
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: annapuma.onsite-crt.com
2: phpmyadmin.annapuma.onsite-crt.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for annapuma.onsite-crt.com
tls-sni-01 challenge for phpmyadmin.annapuma.onsite-crt.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. phpmyadmin.annapuma.onsite-crt.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 44d2fd6d35baeca36fe13668f3ca3e6a.1ff6dd529b09785e995ba52118823ed6.acme.invalid from 144.217.115.63:443. Received 1 certificate(s), first certificate had names "annapuma.onsite-crt.com", annapuma.onsite-crt.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested e763d5287c2e34729ae226d7c9f8f43f.bbd79e9bf5acd358bfc579512fb4329f.acme.invalid from 144.217.115.63:443. Received 1 certificate(s), first certificate had names "annapuma.onsite-crt.com"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: phpmyadmin.annapuma.onsite-crt.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   44d2fd6d35baeca36fe13668f3ca3e6a.1ff6dd529b09785e995ba52118823ed6.acme.invalid
   from 144.217.115.63:443. Received 1 certificate(s), first
   certificate had names "annapuma.onsite-crt.com"

   Domain: annapuma.onsite-crt.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   e763d5287c2e34729ae226d7c9f8f43f.bbd79e9bf5acd358bfc579512fb4329f.acme.invalid
   from 144.217.115.63:443. Received 1 certificate(s), first
   certificate had names "annapuma.onsite-crt.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

vhosts config:

NameVirtualHost annapuma.onsite-crt.com:80
<VirtualHost 144.217.115.63:80>
 	DocumentRoot /var/www/html
 	ServerName annapuma.onsite-crt.com
	<Directory "/var/www/html">
		allow from all
		Options None
	</Directory>
</VirtualHost>

NameVirtualHost annapuma.onsite-crt.com:443
<VirtualHost 144.217.115.63:443>
 	DocumentRoot /var/www/html
 	ServerName annapuma.onsite-crt.com
 	SSLEngine on
 	SSLCertificateFile /etc/httpd/ssl/apache.crt
 	SSLCertificateKeyFile /etc/httpd/ssl/apache.key
	<Directory "/var/www/html">
		allow from all
		Options None
	</Directory>
</VirtualHost>

NameVirtualHost phpmyadmin.annapuma.onsite-crt.com:80
<VirtualHost 144.217.115.63:80>
 	ServerName phpmyadmin.annapuma.onsite-crt.com
	Include /etc/httpd/conf.d/phpMyAdmin.conf
	DocumentRoot /usr/share/phpMyAdmin/
</VirtualHost>

NameVirtualHost phpmyadmin.annapuma.onsite-crt.com:443
<VirtualHost 144.217.115.63:443>
 	ServerName phpmyadmin.annapuma.onsite-crt.com
 	SSLEngine on
 	SSLCertificateFile /etc/httpd/ssl/apache.crt
 	SSLCertificateKeyFile /etc/httpd/ssl/apache.key
	Include /etc/httpd/conf.d/phpMyAdmin.conf
	DocumentRoot /usr/share/phpMyAdmin/
</VirtualHost>

It looks like you may need to include something like the following in your 443 vhost configuations:
Alias /.well-known/acme-challenge /path-to-challenge

Hmm, where would /path-to-challenge be?

That pertains to HTTP-01 challenges, not TLS-SNI-01 challenges, so it shouldn’t be related to this particular error. TLS-SNI-01 challenges don’t use /.well-known/acme-challenge (or HTTP!) at all.

seems like you have managed to get the certificate issued.

I am assuming your challenges were to do with the fact that you had domains on different VPS servers?

Andrei

Yes, but I had to use a completely different approach and configure everything manually. I used --webroot instead of --apache. I’d still rather it all be setup the same way to keep things as consistent between servers as possible but I needed it up and running more than that. I’m sure I’ll forget that I had to do the CentOS server differently when I go to add another vhost later on.

The main question for me was using the Apache plugin with Apache 2.2. There is nothing in the documentation that clearly indicates this is not supported. Additionally, my own research turned up a 6±month-old accepted pull request for the Apache certbot plugin purporting to resolve any lingering issues with Apache 2.2 support. So I was under the impression that it was supported. However, it simply isn’t working for me.

@JadedDragoon

The most likely reason is the inability to parse config files.

I would go to the certbot github and open or check for issuess.

I am not that familiar with the apache plugin but i do know that apache has changed the syntax between versions so this could be an issue

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.