Incorrect validation certificate for tls-sni-01 challenge/Received 1 certificate(s), first certificate had names ""

My domain is:tezzius.ie

I ran this command: sudo certbot --apache -d www.tezzius.ie

It produced this output:

• The following errors were reported by the server:

  Domain: www.tezzius.ie
  Type: unauthorized
  Detail: Incorrect validation certificate for tls-sni-01 challenge.
  Requested
  04529f2ad66ed5b702377d7e845b9157.fdc78dc50c22902407ae3df70ddd96d8.acme.invalid
  from 93.107.39.104:443. Received 1 certificate(s), first
  certificate had names “”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version):Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): (ESXi 6.5 host) Linux Mint 18.1 Serena (GNU/Linux 4.4.0-53-generic x86_64) (VM)

My hosting provider, if applicable, is: Selfhosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

This seems to be a common issue, but none of the other solutions worked at all.
As above, I recently had my nameserver configuration done correctly on the domain provider side, so it all works. I set up the DNS server on my network myself, so it’s probably a configuration issue there, I’m much more of a hardware person, so I’m not the best at software like this. I tried to obtain an SSL cert, and was met with that error. I previously tried to get a cert, so it might be to do that possibly, but I thought I’d ask first. I also tried just tezzius.ie but it had the same issue. I used the command apachectl -V to get the apache version, but I noted it had this on the first line of the output, “AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message” so I suspect it’s the DNS on my side. If you need anymore information I can provide it.

It does seem to be a common issue. Sometimes it happens because people don’t realize they need to run certbot on the same machine as Apache, or because they have a reverse proxy in front of it, but I suspect neither of those is the case here…

More likely, certbot is trying to configure a temporary VirtualHost in Apache with a special certificate to respond to the domain validation challenge, but one of your existing virtual hosts is taking precedence and serving a self-signed certificate instead.

Can you please post the output of the following command:

sudo apachectl -S

Yes, VMWare ESXi is domain aware, the host itself talked to my router, which also has DNS stuff (my network is not ideal for this, there is some conflict that I’m trying to work out) and got the name localhost.localdomain, so idk if those settings would interfere, or it something like you said was going on.

The output from sudo apachectl -S is

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:80 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: “/var/www/html"
Main ErrorLog: “/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex default: dir=”/var/lock/apache2” mechanism=fcntl
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

Ah, I missed that it was a virtual machine. Is the host or something else listening on port 443? There’s a self-signed certificate coming from somewhere, you’ll see it if you connect to https://www.tezzius.ie - can you figure out where that is?

When you use certbot --apache you need to run it on the same machine Apache - and more specifically, the Apache instance that you want to use to serve HTTPS. In the case of virtual machines that means either both on the host or both on the same guest. If you want Apache serving HTTPS inside the VM, you’ll need to make sure the host forwards port 443 to the VM.

(sorry I can’t be more specific but I haven’t used VMWare myself…)

Yes it’s all on the one guest OS, due to my awful (actually good by ISP provided router standards, had a version of openWRT on it) router and not working with port forwarding, the VM is in the DMZ, the host is not, VMWare ESXi is very network transparant, so it works well. I don’t think the host’s cert can be accessed from the outside, but I’ll see if I can find it, although deleting it isn’t a good idea. I’ll see if I can find out more info regarding ESXi.

It’s not that the host’s cert needs to be deleted - rather, that if something on the host is listening on port 443, it needs to stop, and forward that port to the guest instead. Something is listening on port 443, and based on the output of apachectl -S, it doesn’t seem to be the guest.

http://canyouseeme.org shows that port 443 is open, so whatever is listening to it, is definitely on the guest OS, it’s the only machine that can, since it’s in the DMZ, it’s the only machine that can accept outside traffic.
I tried uninstall and reinstalling most of the certbot stuff, but it still returns the error, I’ll try turning off the VM and seeing if the port is open still, and maybe dedicate a whole NIC to the VM (it’s running on a HP ProLiant DL380 G7 so there are 3 spare ones)

Interesting. Perhaps you could share some more of the Apache configuration? Perhaps the self-signed cert is somehow being served from there. Maybe try this:

grep -Ri sslcertificate /etc/apache2

(If anything other than Apache was listening on the guest OS, you should have received a different error message about the address being already in use)

Yeah, while off, there is no route to host from canyouseeme, so I think it’s something very local to that guest OS.

The result from grep -Ri sslcertificate /etc/apache2 is

/etc/apache2/sites-available/default-ssl.conf: # SSLCertificateFile d
irective is needed.
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile /
etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateKeyFile /e
tc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-available/default-ssl.conf: # Point SSLCertificat
ChainFile at a file containing the
/etc/apache2/sites-available/default-ssl.conf: # the referenced file
can be the same as SSLCertificateFile
/etc/apache2/sites-available/default-ssl.conf: #SSLCertificateChainFile
/etc/apache2/ssl.crt/server-ca.crt

Hmm. But that shouldn’t have any effect if there isn’t a symlink in sites-enabled…

Can you find out what’s actually listening on port 443 on the guest?

sudo lsof -i :443 | grep LISTEN

Also, might be worth having a look at that snakeoil cert; if it’s the one being served you might then be able to find something by searching for its name.

openssl x509 -text -noout -in  /etc/ssl/certs/ssl-cert-snakeoil.pem

The cert I’m seeing (in case it rings any bells) is:

Subject: C=IE, ST=Leinster, L=Dublin, O=FUN

The result of sudo lsof -i :443 | grep LISTEN is

nginx 1314 root 7u IPv4 20079 0t0 TCP *:https (LISTEN)
nginx 1316 www-data 7u IPv4 20079 0t0 TCP *:https (LISTEN)
nginx 1317 www-data 7u IPv4 20079 0t0 TCP *:https (LISTEN)
nginx 1318 www-data 7u IPv4 20079 0t0 TCP *:https (LISTEN)
nginx 1319 www-data 7u IPv4 20079 0t0 TCP *:https (LISTEN)
nginx 1321 www-data 7u IPv4 20079 0t0 TCP *:https (LISTEN)
nginx 1322 www-data 7u IPv4 20079 0t0 TCP *:https (LISTEN)

Subject: C=IE, ST=Leinster, L=Dublin, O=FUN
IE is Ireland, Leinster is the provenance and Dublin is the county, which would be where I am, so it has the location correct, the result of openssl x509 -text -noout -in /etc/ssl/certs/ssl-cert-snakeoil.pem is

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 16629268315764324227 (0xe6c7076d73ca7783)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=mint
Validity
Not Before: Apr 4 03:00:20 2017 GMT
Not After : Apr 2 03:00:20 2027 GMT
Subject: CN=mint
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ae:e0:9f:7a:53:91:cf:b0:25:2a:a1:ef:13:68:
df:42:09:ac:b0:49:cd:ee:d0:eb:56:35:5b:e3:c9:
e5:49:cb:ae:1b:bf:06:4a:df:31:b7:1a:78:0d:83:
81:44:99:9a:f2:5d:5b:bd:bf:1e:d2:4e:e1:39:1d:
6d:bc:df:27:b5:22:7f:6c:02:ef:46:81:53:97:97:
4a:85:33:85:d0:64:ce:f2:8d:99:77:cf:b7:c5:38:
71:97:e3:32:3c:67:fc:21:07:f0:34:08:e8:91:6a:
e8:df:3d:c8:21:27:9b:0d:0d:52:73:fb:9a:be:13:
fc:4a:4c:4d:ad:9b:05:c0:8f:2f:46:1e:ad:ac:46:
c4:33:41:f9:72:fe:a4:6a:be:f3:18:d9:25:fe:74:
be:01:52:c7:fd:9d:55:dd:16:7e:cc:33:4e:70:cf:
94:d2:11:b3:01:5b:02:1c:42:de:06:88:77:00:0b:
a9:71:cb:05:f8:de:51:5c:f9:cc:2a:ab:49:ad:62:
35:02:ec:98:33:9a:ba:c2:d7:46:c5:b3:c1:a3:73:
5c:0c:67:c5:db:86:9d:c3:f7:24:d2:c9:4e:35:b2:
73:83:4d:8c:cd:f7:c4:bc:72:7f:f7:04:2d:88:19:
57:ef:f7:60:bb:72:31:9e:57:5d:f9:3b:c6:94:c3:
6d:33
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
26:aa:cf:7c:76:17:49:20:13:3b:d8:b4:cf:ce:d9:c3:57:da:
37:ad:ca:b2:5f:ab:f9:d4:35:97:b6:7c:cb:de:78:6c:87:d2:
26:4f:47:06:79:2d:f8:c6:90:1b:83:66:ff:4c:62:71:85:1f:
e4:12:f8:75:37:05:5f:e9:02:06:02:ad:82:03:c1:c9:3a:87:
fc:b4:9e:e4:a7:9a:5a:54:9a:28:4f:a0:88:b9:99:10:e5:d4:
9a:1e:24:74:dd:32:d9:4a:43:f6:00:10:81:1c:62:40:92:97:
7c:08:34:e1:2e:9a:7b:4e:21:66:21:7e:f4:48:e1:8d:59:04:
13:97:a5:30:25:ab:80:b2:f6:87:6d:3a:f6:8d:b8:3c:7b:2e:
0d:ae:91:f3:75:8c:98:03:4e:8e:de:a8:c0:16:af:2f:f9:e6:
db:4d:26:77:1e:fa:4d:22:38:25:86:a1:92:0b:6d:46:04:c3:
07:a0:12:44:08:8e:5f:48:9f:19:02:71:53:a5:fc:fd:c9:8e:
66:2e:6c:f7:3f:9d:73:63:ce:ca:6f:94:67:fc:93:92:13:b6:
30:68:f6:f3:7f:ad:fb:ee:0c:52:dd:27:9c:64:96:60:3b:a7:
23:98:e9:62:55:3f:2f:6e:6e:23:58:93:dc:c0:cc:c5:07:19:
ec:2b:46:df

Some of that seems like I shouldn’t post it lol, those are keys, however I don’t know what it’s from

So it looks like nginx is listening on port 443. Do you know about that? Is it intentional?

If for example you're using nginx as a proxy to forward traffic to an Apache backend, then you should be using certbot --nginx rather than certbot --apache.

Me too

Well that confirms this is not the certificate we're looking for (since it doesn't match "C=IE, ST=Leinster, L=Dublin, O=FUN"). But at this point I think we can guess it will be found in the nginx configuration anyway.

You shouldn't post private keys of course, but that's a public key, which is fine

Oh, OH, my friend has Rocketchat set up on this server with a reverse proxy to port 80 for encryption, could that be causing the error that we’re getting? And cool, I don’t see many people from Dublin, only a few each year (currently on number 3 now)

sudo certbot --nginx -d www.tezzius.ie creates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.tezzius.ie
Cleaning up challenges
Cannot find a VirtualHost matching domain www.tezzius.ie. In order for Certbot to correctly perform the challenge please add a corresponding server_name directive to your nginx configuration: https://nginx.org/en/docs/http/server_names.html

It’s possible, although I would have expected a different error message… Apache should fail to listen on port 443 when nginx is already listening there. Still, it may be worth a try… you would need to set up a virtual host (server block) in nginx with a server_name for www.tezzius.ie and configure it to forward traffic to your Apache instance. Then you should be able to get the cert with certbot --nginx.

Sorry though, I can’t be much more help than that… if it were apache proxying to nginx, I could tell you exactly what to do, but nginx configuration isn’t my forte.

Go n-éirí an t-ádh leat!

Right, I found the issue, after asking my friend “yo what exactly did you do?” he put a nginx self signed cert on it, that would be the cert we where seeing, so all I gotta do is go and remove that.

You probably don’t even need to remove it.

The thing is: whatever is listening on port 443, that is what needs to be configured with a valid certificate. So if nginx is listening, then nginx needs a valid certificate.

If you want to use Apache to handle HTTPS connections on port 443, you’ll have to stop nginx from doing so. That would probably interfere with (ie. break) rocketchat, so I’m guessing you don’t want to do that.

However you can set up nginx (or apache for that matter) to run with two different certificates, one for your domain and one for whatever domain name your friend is using. Just set up a server block for each, and in theory certbot --nginx should do the rest… The traffic on port 443 will be handled by nginx though, so if you want to use apache you’ll have to configure nginx to proxy the traffic for your domain to it.

Naw rocketchat was just plugging in a blank page, I’ll be putting an actual webpage on it at a later point. I’ll be weighting apache against nginx, I haven’t decided what one yet.

Aha. In that case, it’s probably easiest to settle on apache or nginx, rather than trying to get both working together Apart from the obvious reasons, certbot will tend to assume you’re just using one or the other, and will try to automatically configure things based on that assumption.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.