Incorrect validation certificate for tls-sni-01 challenge. Why?

Help
1

I use my local computer for obtain and renew sertificate.
My configuration is simple.
I have 2 sertificate for each domains.
https://s1.tagan.ru/
https://s1-utils.tagan.ru/
Server works fine as I see. (nginx use ssl encryption)

How can I renew certificate on 1s.tagan.ru?

nixm ~ # certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: s1-utils.tagan.ru
Domains: s1-utils.tagan.ru
Expiry Date: 2017-10-19 05:30:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/s1-utils.tagan.ru/fullchain.pem
Private Key Path: /etc/letsencrypt/live/s1-utils.tagan.ru/privkey.pem
Certificate Name: s1.tagan.ru
Domains: s1.tagan.ru
Expiry Date: 2017-08-09 09:07:00+00:00 (VALID: 18 days)
Certificate Path: /etc/letsencrypt/live/s1.tagan.ru/fullchain.pem
Private Key Path: /etc/letsencrypt/live/s1.tagan.ru/privkey.pem

nixm ~ # certbot certonly -d s1.tagan.ru
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)

Select the appropriate number [1-2] then [enter] (press ā€˜cā€™ to cancel): 2
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewingā€¦
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for s1.tagan.ru
Waiting for verificationā€¦
Cleaning up challenges
Failed authorization procedure. s1.tagan.ru (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 569d4bcba4735861901c923665c5cdf2.53a4adc13d83994dee8b911a6efac945.acme.invalid from [2a00:8740::43]:443. Received 1 certificate(s), first certificate had names ā€œs1.tagan.ruā€

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: s1.tagan.ru
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    569d4bcba4735861901c923665c5cdf2.53a4adc13d83994dee8b911a6efac945.acme.invalid
    from [2a00:8740::43]:443. Received 1 certificate(s), first
    certificate had names ā€œs1.tagan.ruā€

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.
    nixm ~ #

2

So, when you do tls-sni-01 the Letā€™s Encrypt CA (somewhere out on the Internet) connects to the exact Fully Qualified Domain Name you asked to validate, on port 443, and then it asks for the gibberish hostname (the one ending .acme.invalid in your log text).

If it was connecting to your standalone Certbot program, the Certbot would say ā€œOK, hereā€™s the certificate for that gibberish hostnameā€ and present it a certificate invented for the validation process, proving you really control that FQDN.

But, it seems to instead reach a real web server (maybe your nginx setup) on port 443 of that machine, and that real web server doesnā€™t know anything about this whole validation idea and sends back a real certificate.

Is the machine where you run Certbot really s1.tagan.ru ? If not, the Certbot wonā€™t be able to prove control this way. If so, you may need to stop the nginx server to complete the validation successfully, but Iā€™d expect to see different errors.

1 Like
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.