I got the dreaded error on renewal of this kind:
Incorrect validation certificate for tls-sni-01 challenge.
Requested
7d73173db01659ede889ed0bf82c0b02.bec84759bef004bdccd68f41dd804f77.acme.invalid
from 191.20.118.1:443. Received 2 certificate(s), first certificate
had names "myhost.com, www.myhost.com"
Looked at all the hints here, which were pretty helpful: Incorrect validation certificate for challenge - #2 by oulman
So I noticed that my apache sites conf file contained two virtualhosts, one for port 80 and one for port 443, in a single file. So I fixed it by making them into two separate files. But still, I got the same error when doing "certbot renew".
Then I figured it out: While my /etc/apache2/sites-enabled/ folder only symlinked to the (now two) conf files for (www.)myhost.com, the /etc/apache2/sites-available/ folder also contained another conf file that contained another pair of virtual hosts. As soon as I removed that (unused!) conf file, the renew worked.
So, the issue with certbot here is that it attempted to revew the cert for a site that I didn't have active. And worse, it did not tell me that. The error messages I got were only reference the active domain names, not the ones of the second, inactive, conf file. I had once created that second site for doing some testing (and getting its own letsencrypt cert for it) and then disabled it later again - it's surprising to me that this now led to certbot failing to perform its renew. I wonder if I have to perform extra steps to tell certbot to "forget" the cert it once handled for this now-inactive site.
I think it would help in debugging of the actual conf files that were used in the renew process are explicitly listed - had that happened then I would have immediately noticed the issue (though I still wonder if it's even correct / intended behavior that certbot attempts to revew the certs of deactivated apache sites.
Oh, I later found that the inactive file was mentioned in the log file. So it's mentioned somewhere, but a bit hidden.
Also:
"certbot --version" still shows 0.10.2 - but I found no way to check if that's actually the current version. The certbot docs site seems not to mention the current version anywhere. However, pages such as GitHub - certbot/certbot: Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol. and INTRODUCTION — letsencrypt latest documentation suggest it's already at v0.21 - yet, I was not able to install any version other than 0.10.2 when using "apt-get install certbot python-certbot-apache" on debian 8.