[Issue] Incorrect validation certificate for tls-sni-01 challenge

Hi there,

I have the following issue, I am not able to renew the certificate to below’s domain;

Any suggestion on what the cause might be…

My domain is:

I ran this command:
certbot renew

It produced this output:

Processing /etc/letsencrypt/renewal/lacozaandam.com.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.lacozaandam.com
tls-sni-01 challenge for lacozaandam.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (lacozaandam.com) from /etc/letsencrypt/renewal/lacozaandam.com.conf produced an unexpected error: Failed authorization procedure. www.lacozaandam.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 498ed8f18a7521dde07f5cac4f11fc1f.e2590b5b48efc9cbbace2c5e6ee78932.acme.invalid from [2001:888:0:18::117:80]:443. Received 1 certificate(s), first certificate had names “sni-support-required-for-valid-ssl”. Skipping.


Processing /etc/letsencrypt/renewal/lacozaandam.com-0001.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/lacozaandam.com-0001/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lacozaandam.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.lacozaandam.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    498ed8f18a7521dde07f5cac4f11fc1f.e2590b5b48efc9cbbace2c5e6ee78932.acme.invalid
    from [2001:888:0:18::117:80]:443. Received 1 certificate(s), first
    certificate had names “sni-support-required-for-valid-ssl”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
Server version: Apache/2.4.7 (Ubuntu)
Server built: Sep 18 2017 16:37:54
Server’s Module Magic Number: 20120211:27
Server loaded: APR 1.5.1-dev, APR-UTIL 1.5.3
Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3

The operating system my web server runs on is (include version):
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Hi @Kreshnik,

It looks to me like you’ve now resolved this problem by removing the AAAA DNS record for your domain. (However, the confusing thing is that your renewed certificate appears to have been issued 2 days ago rather than just now.)

Hi @Kreshnik,

Regarding this conf file, it is attempting to renew a cert containing two domains

lacozaandam.com
www.lacozaandam.com

But,lacozaandam.com is server by Apache web server and www.lacozaandam.com is server by OpenResty web server.

That means that your domains have different ips:

$ dig lacozaandam.com +short
146.185.135.148

$ dig www.lacozaandam.com +short
194.109.6.98

Also, www.lacozaandam.com resolves an IPv6 address 2001:888:0:18::117:80 and this ip would be used by Let’s Encrypt to validate your domain as Let’s Encrypt prefers IPv6 over IPv4 is both are available.

So, if you are not using IPv6, you should remove the AAAA record for domain www.lacozaandam.com and change its A record to point to your Apache web server 146.185.135.148.

And now the other issue, you have 2 renewal conf files, I suppose because you created a cert for both domains and then created a new one with just one domain or viceversa.

You could check what they are covering using command certbot certificates.

Cheers,
sahsanu

1 Like

Thanks @sahsanu, I didn’t look carefully enough here after seeing the one recently-renewed cert!

1 Like

@schoen @sahsanu, first thanks for the switch responses.

@sahsanu when I do a dig on the domains, I do get the following;

lacozaandam.com +short
146.185.135.148
www.lacozaandam.com +short
146.185.135.148

When running certbot certificates I got the following;

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: lacozaandam.com
    Domains: www.lacozaandam.com,lacozaandam.com
    Expiry Date: 2017-09-28 21:07:00+00:00 (VALID: 6 days)
    Certificate Path: /etc/letsencrypt/live/lacozaandam.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/lacozaandam.com/privkey.pem
  Certificate Name: lacozaandam.com-0001
    Domains: lacozaandam.com
    Expiry Date: 2017-12-18 09:05:00+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/lacozaandam.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/lacozaandam.com-0001/privkey.pem
-------------------------------------------------------------------------------

Any next steps you guys could suggest…

@Kreshnik,

That is not what your DNS servers say.

$ dig @ns.xs4all.nl lacozaandam.com +short
146.185.135.148

$ dig @ns.xs4all.nl www.lacozaandam.com +short
194.109.6.98

$ dig @ns2.xs4all.nl lacozaandam.com +short
146.185.135.148

$ dig @ns2.xs4all.nl www.lacozaandam.com +short
194.109.6.98

Well, you have 2 certificates,

1.- lacozaandam.com that covers both domains (with and without www) and will expire in 6 days.

2.- lacozaandam.com-0001 that covers only the domain without www and will expire in 86 days.

Which one you want to use?. If you want a certificate for both domains (certificate 1) then you should solve your DNS issues with www domain. If you only want to use the certificate for the domain without www then use the certificate 2 (you are already using it) and delete the certificate 1.

1 Like

Thank you very much @sahsanu, this descriptive answers makes it much easier to solve the issue.

P.s. I will probably go with 1 (Solving DNS issue)

Thanks!

1 Like

@Kreshnik, you are welcome.

Remember that you need to solve 2 issues with www domain. the incorrect IPv4 address and the IPv6 address, if you won’t use it, remove the AAAA record or Let’s Encrypt will try to validate your domain with this IPv6 address and will fail.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.