I ran this command: ./letsencrypt-auto certonly --renew-by-default
It produced this output:
Domain: myfavoritecare.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
6687318197d9c2f2702b2d374c80a4c5.53da757358bbcc5392479762f168f6e1.acme.invalid
from 139.162.55.19:443. Received 2 certificate(s), first
certificate had names “myfavoritecare.com”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
My web server is (include version): no apache and nginx
The operating system my web server runs on is (include version): contos6
My hosting provider, if applicable, is: linode
I can login to a root shell on my machine (yes or no, or I don’t know): i can login as root
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): just terminal
What did you mean when you said “no apache and nginx”? Do you mean that you’re using nginx but not Apache? Did you previously have a Let’s Encrypt certificate, and did you switch the web server software that you use? (I ask partly because --renew-by-default is the old name for --force-renewal, which is normally used when you have an existing certificate that you want to force to be renewed immediately.)
I don’t use nginx and don’t use apache on my machine.
I use Let’s Encrypt certificate about 1 year and never update Let’s Encrypt itself.
I didn’t switch my web server software.
Usually i renew Let’s Encrypt certificate easily and met this problem the first time.
@rg305, that’s not going to be helpful in this case because this is a TLS-SNI-01 challenge, not an HTTP-01 challenge. TLS-SNI-01 doesn’t use /.well-known/acme-challenge at all.
@ys588281, could you post the renewal configuration file from /etc/letsencrypt/renewal? That will explain what Certbot is trying to do here.
If you don’t use Apache or nginx, then the TLS-SNI-01 challenge could only succeed using the standalone authenticator. But this method requires stopping your web server temporarily when renewing your certificate.
The message from ./letsencrypt-auto --version is certbot 0.15.0
I tried ./letsencrypt-auto certonly, it failed again.
The error message is
Failed authorization procedure. myfavoritecare.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested c4c096f23122ebd6762cf35e5379decd.ae5322a3de7019ae27712434c50e9a64.acme.invalid from 139.162.55.19:443. Received 2 certificate(s), first certificate had names “myfavoritecare.com”
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: myfavoritecare.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
c4c096f23122ebd6762cf35e5379decd.ae5322a3de7019ae27712434c50e9a64.acme.invalid
from 139.162.55.19:443. Received 2 certificate(s), first
certificate had names “myfavoritecare.com”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
My dns is in godaddy and it runs reallt good so far.
So I’m pretty confused about why Certbot isn’t giving a more useful error (about inability to bind port 443), but the problem is almost certainly that --standalone, which is being used automatically for the renewal attempt, requires you to temporarily stop your existing web server if you have one. From what you said, you do have one, and so you need to stop it temporarily when renewing with this method.
There are other methods which would might work and would not have this requirement if it turns out to be a problem for you. There are also --pre-hook and --post-hook options which can let you tell Certbot how to stop and restart your web server.