Issue with renew, apache, multiple virtual hosts, and inactive ones


I got the dreaded error on renewal of this kind:

Incorrect validation certificate for tls-sni-01 challenge.
from Received 2 certificate(s), first certificate
had names “,

Looked at all the hints here, which were pretty helpful: Incorrect validation certificate for challenge

So I noticed that my apache sites conf file contained two virtualhosts, one for port 80 and one for port 443, in a single file. So I fixed it by making them into two separate files. But still, I got the same error when doing “certbot renew”.

Then I figured it out: While my /etc/apache2/sites-enabled/ folder only symlinked to the (now two) conf files for (www.), the /etc/apache2/sites-available/ folder also contained another conf file that contained another pair of virtual hosts. As soon as I removed that (unused!) conf file, the renew worked.

So, the issue with certbot here is that it attempted to revew the cert for a site that I didn’t have active. And worse, it did not tell me that. The error messages I got were only reference the active domain names, not the ones of the second, inactive, conf file. I had once created that second site for doing some testing (and getting its own letsencrypt cert for it) and then disabled it later again - it’s surprising to me that this now led to certbot failing to perform its renew. I wonder if I have to perform extra steps to tell certbot to “forget” the cert it once handled for this now-inactive site.

I think it would help in debugging of the actual conf files that were used in the renew process are explicitly listed - had that happened then I would have immediately noticed the issue (though I still wonder if it’s even correct / intended behavior that certbot attempts to revew the certs of deactivated apache sites.

Oh, I later found that the inactive file was mentioned in the log file. So it’s mentioned somewhere, but a bit hidden.


“certbot --version” still shows 0.10.2 - but I found no way to check if that’s actually the current version. The certbot docs site seems not to mention the current version anywhere. However, pages such as and suggest it’s already at v0.21 - yet, I was not able to install any version other than 0.10.2 when using “apt-get install certbot python-certbot-apache” on debian 8.




Could you be a bit more specific or are you a bot that replies to every post with “RTFM”?


The current released version of certbot is 0.20.0 (0.21 is in development but hasn’t been released yet)

The bug that caused it to parse files in sites-available that aren’t enabled was fixed in 0.19.0.

Version 0.10.2 is indeed the latest version packaged in the backports repository for debian jessie. If you want to install a newer version you can do so using certbot-auto - see (note that if you do this you’ll have to set up your own cron job / systemd timer as you won’t get the one that’s included with the debian package).

You can use the certbot certificates command to discover what certificates you have and what domains they cover. If you want to change the domains on a certificate see and if you want to remove a certificate entirely you can use certbot delete.


Thanks, that was helpful, especially clarifying why I didn’t get the latest certbot version installed.

It would be nice if the docs for installing certbot for older Debian versions would mention that they won’t install the latest version unless one takes extra steps like the ones you provided. The current ones ( suggest nothing like that, and following them would indeed install quite an outdated version. That’s not good, agreed?

Is that something you can take care of (are you an admin?), or should I file a ticket for that?


I’m not an admin. I believe the docs are maintained here if you want to file an issue. Thanks!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.