Incorrect validation certificate for tls-sni-01 challenge, acme.invalid, dummy

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: statease.com

I ran this command: sudo ./certbot-auto --nginx

It produced this output:

Cleaning up challenges
Failed authorization procedure. activate.staging.statease.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 6176798a1c6e9ef5
94c8b9700beadda1.f6f3c44f2963df7066dfe7473f24579f.acme.invalid from 162.209.98.243:443. Received 1 certificate(s), first certificate had names "bb314e5be30d3db782c00c7b915f0b9a.abadc0eb8241737e1fef226d18724d87.acme.invalid, dummy", www.s
tatease.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested f76a6626e2e7264c5c5ef13e331ed3e2.a29f0f4e649c3345ba399df9adb4a2f7.
acme.invalid from 162.209.98.243:443. Received 1 certificate(s), first certificate had names "bb314e5be30d3db782c00c7b915f0b9a.abadc0eb8241737e1fef226d18724d87.acme.invalid, dummy", statease.com (tls-sni-01): urn:acme:error:unauthorized
:: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested c829fafc9ba1e02e2beb1ae5665e3e8c.42a47a5a16c3b6673549c7497d339ed1.acme.invalid from 162.209.98.243:443. Received 1 certi
ficate(s), first certificate had names "bb314e5be30d3db782c00c7b915f0b9a.abadc0eb8241737e1fef226d18724d87.acme.invalid, dummy", activate.statease.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization
:: Incorrect validation certificate for tls-sni-01 challenge. Requested 27a85b99b5a188641c7cd5a963381fd6.e35424529ec6ee688719b19feb15c261.acme.invalid from 162.209.98.243:443. Received 1 certificate(s), first certificate had names "bb314
e5be30d3db782c00c7b915f0b9a.abadc0eb8241737e1fef226d18724d87.acme.invalid, dummy"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: activate.staging.statease.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    6176798a1c6e9ef594c8b9700beadda1.f6f3c44f2963df7066dfe7473f24579f.acme.invalid
    from 162.209.98.243:443. Received 1 certificate(s), first
    certificate had names
    "bb314e5be30d3db782c00c7b915f0b9a.abadc0eb8241737e1fef226d18724d87.acme.invalid,
    dummy"

    Domain: www.statease.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    f76a6626e2e7264c5c5ef13e331ed3e2.a29f0f4e649c3345ba399df9adb4a2f7.acme.invalid
    from 162.209.98.243:443. Received 1 certificate(s), first
    certificate had names
    "bb314e5be30d3db782c00c7b915f0b9a.abadc0eb8241737e1fef226d18724d87.acme.invalid,
    dummy"

    Domain: statease.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    c829fafc9ba1e02e2beb1ae5665e3e8c.42a47a5a16c3b6673549c7497d339ed1.acme.invalid
    from 162.209.98.243:443. Received 1 certificate(s), first
    certificate had names
    "bb314e5be30d3db782c00c7b915f0b9a.abadc0eb8241737e1fef226d18724d87.acme.invalid,
    dummy"

    Domain: activate.statease.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    27a85b99b5a188641c7cd5a963381fd6.e35424529ec6ee688719b19feb15c261.acme.invalid
    from 162.209.98.243:443. Received 1 certificate(s), first
    certificate had names
    "bb314e5be30d3db782c00c7b915f0b9a.abadc0eb8241737e1fef226d18724d87.acme.invalid,
    dummy"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Nginx 1.12.0

The operating system my web server runs on is (include version): Ubuntu 12.04.5

My hosting provider, if applicable, is: Rackspace

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

I imagine this has something to do with the certificate having the name XXXXX.acme.invalid, dummy, but I'm not sure what to do here. It is currently using a Comodo cert.

Hi @statmike,

That’s interesting—the .acme.invalid certificate is a test certificate that Certbot creates in order to prove your control over the domain name. However, it looks like your server was somehow configured with a test certificate from a previous run of Certbot instead of from the current one, which is an unusual problem that I’ve not sure I’ve seen before.

Could you post the associated log from /var/log/letsencrypt?

Sure, though I am unable to upload yet and it looks like I’m three times the limit. Should I just post the text in three comments?

That’s fine, or you could upload it to a pastebin site and share a link here.

OK, here is the log letsencrypt.log

Hi Schoen,

Have you had a chance to look at my log?

Sorry for the delay, @statmike. I looked at it briefly and something that seems peculiar to me is that it appears that Certbot managed to obtain authorizations for some of the names that you requested, yet failed for others. It also looks to me like Certbot managed to create an appropriate test certificate for some of the challenges but that that certificate was presented in response to other challenges.

@erica, do you have time to look at https://pastebin.com/1cYxTRq6 and try to understand the failure? (It’s a slightly unusual situation of the CA getting back one test cert when requesting a different one, while using --nginx.)

I’d make sure that the following lines are deleted from /etc/nginx/nginx.conf and try again:

include /etc/letsencrypt/le_tls_sni_01_cert_challenge.conf;
server_names_hash_bucket_size 128;

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.