Incorrect validation certificate for tls-sni-01 challenge. Why?

I use my local computer for obtain and renew sertificate.
My configuration is simple.
I have 2 sertificate for each domains.
https://s1.tagan.ru/
https://s1-utils.tagan.ru/
Server works fine as I see. (nginx use ssl encryption)

How can I renew certificate on 1s.tagan.ru?

nixm ~ # certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: s1-utils.tagan.ru
Domains: s1-utils.tagan.ru
Expiry Date: 2017-10-19 05:30:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/s1-utils.tagan.ru/fullchain.pem
Private Key Path: /etc/letsencrypt/live/s1-utils.tagan.ru/privkey.pem
Certificate Name: s1.tagan.ru
Domains: s1.tagan.ru
Expiry Date: 2017-08-09 09:07:00+00:00 (VALID: 18 days)
Certificate Path: /etc/letsencrypt/live/s1.tagan.ru/fullchain.pem
Private Key Path: /etc/letsencrypt/live/s1.tagan.ru/privkey.pem

nixm ~ # certbot certonly -d s1.tagan.ru
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for s1.tagan.ru
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. s1.tagan.ru (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 569d4bcba4735861901c923665c5cdf2.53a4adc13d83994dee8b911a6efac945.acme.invalid from [2a00:8740::43]:443. Received 1 certificate(s), first certificate had names “s1.tagan.ru

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: s1.tagan.ru
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    569d4bcba4735861901c923665c5cdf2.53a4adc13d83994dee8b911a6efac945.acme.invalid
    from [2a00:8740::43]:443. Received 1 certificate(s), first
    certificate had names “s1.tagan.ru

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.
    nixm ~ #

So, when you do tls-sni-01 the Let’s Encrypt CA (somewhere out on the Internet) connects to the exact Fully Qualified Domain Name you asked to validate, on port 443, and then it asks for the gibberish hostname (the one ending .acme.invalid in your log text).

If it was connecting to your standalone Certbot program, the Certbot would say “OK, here’s the certificate for that gibberish hostname” and present it a certificate invented for the validation process, proving you really control that FQDN.

But, it seems to instead reach a real web server (maybe your nginx setup) on port 443 of that machine, and that real web server doesn’t know anything about this whole validation idea and sends back a real certificate.

Is the machine where you run Certbot really s1.tagan.ru ? If not, the Certbot won’t be able to prove control this way. If so, you may need to stop the nginx server to complete the validation successfully, but I’d expect to see different errors.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.