Migrating Certificate to another IP



I’ve created a certificate on a host with IP X and had to migrate to another host with a different IP Y.
When I run certbot renew on the new machine I get the error

Incorrect validation certificate for TLS-SNI-01 challenge.
To fix these errors, please make sure that your domain name was entered 
correctly and the DNS A record(s) for that domain contain(s) the right IP address.

This error should be correct, as I’m using a different IP now.
How can I renew the certificates?
Should I delete the old certificates and generate new certificates?


Deleting old certificates is almost never the right answer. cerbot doesn’t really care, it renews when it’s time or it doesn’t renew when it isn’t time yet. This can be forced with commands like --force-renewal, but your output suggests your certbot wants to renew anyway, so that doesn’t matter at all…

I assume the new machine you’re running certbot on actually also is the machine which has the new IP address, right? And obviously in your migration you changed the IP address of the hostname to that machine?


Yes, I’m running certbot on the new machine.
And also yes, I changed the DNS records so that they point to the new machine/IP

The certificate is due for renewal on April 20th.


Problem could be a configuration issue of your webserver. In the case of Apache, mixing <VirtualHost *:443> with <VirtualHost> styles can result in not serving the right validation certificate when validating. So without either configuration files (you can obviously check for yourself) or even the full error of certbot I can only guess.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.