My site uses Apache. Auth failed 3 or 4 times. Now I'm rate limited. Please help!

Please fill out the fields below so we can help you better.

My domain is: (and a few others)

I ran this command: certbot --apache (about 3 times)

It produced this output: Incorrect validation certificate for tls-sni-01 challenge.

My operating system is (include version): Ubuntu

My web server is (include version): Linux version 3.19.0-28-generic (buildd@lgw01-03) (gcc version 4.9.2 (Ubuntu 4.9.2-10ubuntu13) ) #30-Ubuntu SMP Mon Aug 31 15:52:51 UTC 2015

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Hi @eanbowman,

That particular rate limit will expire after an hour. Try --staging for testing against the test server in the meantime (and for any future experiments).


Thanks very much! I saw in another post 3 hours which had me worried.

Any idea why it would be failing?

I made a few suggestions in this thread about the most common reasons

based on my experiences helping people on this forum in the past.


Thanks so very much. You’re very helpful!

I checked my domain name and that passes all of the relevant tests. I’m pretty sure it’s certbot being confused by my config files or something. I have no idea where to start with those.

Before I had them pointing to my old certs from StartSSL (which just stopped working in Chrome for me).

Now I’ve moved those files into a subdirectory and I’ve commented out the lines which point to them.

Before that it wasn’t working either. It was saying something was wrong with the cert it returned. I suspect it wasn’t properly modifying the reply and it was getting my old invalid StartSSL cert back.

Any ideas?

Is it possible that you have multiple virtual hosts defined within the same Apache configuration file?

I have multiple virtual hosts.


If I set it up so only the SSL on my main site is enabled it works!

Now I wonder how to get it to run for the subdomains?

Also: Now I’m kind-of boned for at least an hour. I mean, my site didn’t work before but now it’s… half working? The cert is from letsencrypt but from the staging server and not trusted.

Is there any way to see what the cooldown time is? Does it reset if I re-try?

@schoen If I keep running certbot --apache until it works… will it ever work or will the wait time reset each time I try?

Feature request for certbot: add a warning about running the authorization both to the intro on the site and the command line script. That’d be grand. I’ll make the commit and create a pull request. Actually I’ll do that now if I can find the source.

A: It’s an hour from the time you went over. Re-trying doesn’t extend the ban. That’s good. :slight_smile:

Okay this is really weird:

Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up A for

I tested my site’s DNS and it’s good. Maybe a glitch? I’ll try again with staging to make sure it works. It worked with staging before.

Edit: Yup… no error with staging but I had one with prod. I’ll try prod once more. I hope it’s just a momentary glitch. :frowning:

I have no idea how to fix this stuff. This is the last thing I needed. I need to be working on my portfolio. Why does my site where NOBODY logs in need a perfect chain of signed certs anyway?

Any help would be greatly appreciated.

What would you like to do?
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for
Waiting for verification...
Cleaning up challenges
Incomplete authorizations

Well that’s a new one. Is LetsEncrypt having issues?

It seems like there might be a problem with Let's Encrypt's DNS resolver at the moment:


Alright! Everything’s working! Except…

I can add

But if I try to add as well, it doesn’t work.

Is there any way to configure both of those at once? I was able to manually do that with StartSSL. Just add as many subdomains as needed.

You can specify domains on the command line with -d and you can specify as many of them as you like (up to 100). For example

certbot apache -d -d

In this case since you already have a cert for one of those names, Certbot should probably prompt you to ask whether you want to replace that existing cert with the new “expanded” cert. (And the answer should be yes.)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.