I ran this command: certbot --apache (about 3 times)
It produced this output: Incorrect validation certificate for tls-sni-01 challenge.
My operating system is (include version): Ubuntu
My web server is (include version): Linux version 3.19.0-28-generic (buildd@lgw01-03) (gcc version 4.9.2 (Ubuntu 4.9.2-10ubuntu13) ) #30-Ubuntu SMP Mon Aug 31 15:52:51 UTC 2015
My hosting provider, if applicable, is: DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
That particular rate limit will expire after an hour. Try --staging for testing against the test server in the meantime (and for any future experiments).
I checked my domain name and that passes all of the relevant tests. I’m pretty sure it’s certbot being confused by my config files or something. I have no idea where to start with those.
Before I had them pointing to my old certs from StartSSL (which just stopped working in Chrome for me).
Now I’ve moved those files into a subdirectory and I’ve commented out the lines which point to them.
Before that it wasn’t working either. It was saying something was wrong with the cert it returned. I suspect it wasn’t properly modifying the reply and it was getting my old invalid StartSSL cert back.
Also: Now I’m kind-of boned for at least an hour. I mean, my site didn’t work before but now it’s… half working? The cert is from letsencrypt but from the staging server and not trusted.
Is there any way to see what the cooldown time is? Does it reset if I re-try?
@schoen If I keep running certbot --apache until it works… will it ever work or will the wait time reset each time I try?
Feature request for certbot: add a warning about running the authorization both to the intro on the site and the command line script. That’d be grand. I’ll make the commit and create a pull request. Actually I’ll do that now if I can find the source.
A: It’s an hour from the time you went over. Re-trying doesn’t extend the ban. That’s good.
Failed authorization procedure. eanbowman.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up A for eanbowman.com
I tested my site’s DNS and it’s good. Maybe a glitch? I’ll try again with staging to make sure it works. It worked with staging before.
Edit: Yup… no error with staging but I had one with prod. I’ll try prod once more. I hope it’s just a momentary glitch.
I have no idea how to fix this stuff. This is the last thing I needed. I need to be working on my portfolio. Why does my site where NOBODY logs in need a perfect chain of signed certs anyway?
What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for eanbowman.com
Waiting for verification...
Cleaning up challenges
Incomplete authorizations
Well that’s a new one. Is LetsEncrypt having issues?
In this case since you already have a cert for one of those names, Certbot should probably prompt you to ask whether you want to replace that existing cert with the new “expanded” cert. (And the answer should be yes.)
