Nginx cert renew failure!

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sinluong.com

I ran this command: certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/sinluong.com.conf

Cert is due for renewal, auto-renewing…


Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for sinluong.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/sinluong.com.conf produced an unexpected error: Failed authorization procedure. sinluong.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested c248a8ac8a0a460d72db687424067638.00748f57b3996a185da0ac290e047d91.acme.invalid from 108.61.172.254:443. Received 2 certificate(s), first certificate had names “sinluong.com”. Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sinluong.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: sinluong.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    c248a8ac8a0a460d72db687424067638.00748f57b3996a185da0ac290e047d91.acme.invalid
    from 108.61.172.254:443. Received 2 certificate(s), first
    certificate had names “sinluong.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 12.04 LTS

My hosting provider, if applicable, is: Vultr

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

2

The tls-sni-01 challenge request failed which is strange as the site already has an LE cert (which recently expired).
You might want to try an http challenge instead (at least to get the cert renewed then you can focus on getting tls-sni-01 working).
Since the server is based on nginx, you won’t be able to use --preferred-challenges http.
That leaves you with --webroot option.
Here’s a link to the documentation for that: http://letsencrypt.readthedocs.io/en/latest/using.html#webroot

3

We can also try to investigate the reason for this; maybe you could post the log file from /var/log/letsencrypt associated with this attempt to renew the certificate.

4

Sorry it’s my first time renewing with certbot. Not sure if I’m doing this correctly but I’ve tried doing with and without dry-run and the --webroot option but still getting the same error returned. :frowning:

5

Can you post the associated Certbot log file from /var/log/letsencrypt?

6

hi
sorry just saw this message. I’ve tried to add the whole output here but it wont let me because I’m still a new user, and I can’t attach it as a txt file either.
I’ve pasted the tail of the log, i hope it helps…

2017-11-15 12:02:14,743:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: sinluong.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested e6b7953c6c28257c49e92b8986f7a3a8.18cde582c1f67b3f5706471b6cc41104.acme.invalid from 108.61.172.254:443. Received 2 certificate(s), first certificate had names “sinluong.com

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-11-15 12:02:14,743:INFO:certbot.auth_handler:Cleaning up challenges
2017-11-15 12:02:15,934:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/sinluong.com.conf produced an unexpected error: Failed authorization procedure. sinluong.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested e6b7953c6c28257c49e92b8986f7a3a8.18cde582c1f67b3f5706471b6cc41104.acme.invalid from 108.61.172.254:443. Received 2 certificate(s), first certificate had names “sinluong.com”. Skipping.
2017-11-15 12:02:15,937:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/certbot/renewal.py”, line 418, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 640, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 77, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python2.7/dist-packages/certbot/renewal.py”, line 296, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 313, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 81, in get_authorizations
self._respond(resp, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. sinluong.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested e6b7953c6c28257c49e92b8986f7a3a8.18cde582c1f67b3f5706471b6cc41104.acme.invalid from 108.61.172.254:443. Received 2 certificate(s), first certificate had names “sinluong.com

2017-11-15 12:02:15,938:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.14.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 742, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 692, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python2.7/dist-packages/certbot/renewal.py”, line 435, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

7

I think when switching to --webroot, you would have to use certbot certonly rather than certbot renew. Did you do that when you tried --webroot?

The error that you’re seeing indicates that Certbot tried to reconfigure your nginx to serve a custom certificate (in addition to the existing certificate) in order to prove your control over the domain name. However, it didn’t succeed in reconfiguring nginx, and the certificate authority encountered only the existing certificate, not the custom one, when it accessed the site to check. This can be caused by a number of things, such as running Certbot on a machine that’s not the web server, or having a proxy or firewall or CDN (that speaks TLS on behalf of the web server) in between the Internet and the web server, or a bug in Certbot where there was something unusual about your nginx configuration that confused Certbot.

Did we ask you what version of Certbot you’re running? Sometimes there have also been bugs in Certbot’s ability to understand and update nginx configurations that were present in older versions and have been fixed in newer versions.

8

Thank you!

certbot certonly

worked. added the --webroot switch and it works perfectly! thanks so much!

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.