Incorrect validation certificate for tls-sni-01 challenge. certbox --apache -d

Please fill out the fields below so we can help you better.

My domain is: sekvenovani.cz

I ran this command: sudo certbot --apache -d sekvenovani.cz

It produced this output:

tls-sni-01 challenge for sekvenovani.cz
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. sekvenovani.cz (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested e0aae500401d348b5c8da951252d7482.1e9af5c652d00767422d467a6aa66689.acme.invalid from [2a01:4f8:201:1151::10]:443. Received 3 certificate(s), first certificate had names “www.seqme.eu

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: sekvenovani.cz
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    e0aae500401d348b5c8da951252d7482.1e9af5c652d00767422d467a6aa66689.acme.invalid
    from [2a01:4f8:201:1151::10]:443. Received 3 certificate(s), first
    certificate had names “www.seqme.eu

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): Ubuntu Server 16.04

My hosting provider, if applicable, is: VPS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I can ping the domain with correct IP. I can access domain with this apache vhost:

<VirtualHost *:80>
ServerName sekvenovani.cz
ServerAlias www.sekvenovani.cz

    DocumentRoot /var/www/landing-page/www

    <Directory /var/www/landing-page/www>
            AllowOverride All
            Require all granted
    </Directory>


    ServerAdmin admin@sekvenovani.cz
    ErrorLog ${APACHE_LOG_DIR}/sekvenovani.cz-error.log
    CustomLog ${APACHE_LOG_DIR}/sekvenovani.cz-access.log combined

The vhost file shown only has port 80.
The auth request was TLS (port 443).
Furthermore the auth request was to an IPv6 address: [2a01:4f8:201:1151::10]:443
Your domain resolves to:
Name: sekvenovani.cz
Addresses: 2a01:4f8:201:1151::10
31.31.77.250

You must consider (or remove) the IPv6 path as IPv6 is preferred by LE.

This is not relevant to this error. Certbot modifies the user's Apache configuration to make it listen on port 443 if it wasn't previously listening on port 443. There is no requirement to have a pre-existing HTTPS listener configured in order to use certbot --apache.

On the other hand, I think this is a likely explanation for the error. Currently the IPv4 and IPv6 version of the site are returning different content and may be using different servers or server software configurations.

Indeed, but it points to the fact that he included the port 80 vhost which is unrelated to the auth request.
Hopefully sending him to look for the vhost config that includes port 443.

The server has completely disabled IPv6 but there is a still record in DNS zone. I removed IPv6 from DNS. Will wait a bit and then I’ll try again with certbox command.

Guys, thank you for amazing support. It was the setting of DNS vs IPv6.

I cannot have IPv6 DNS AAAA record and disabled support for IPv6 on the server. Maybe certbox should also check, if any interface has IPv6 address before the API call (and if no then fallback automatically to IPv4).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.