Outdated Certbot Version and Apache VHOST Configs Means Certificates Aren't Issued

Hi,

I am hosting by myself some personal stuff, on a computer at home (Debian Jessie). Since browsers notify users for non-https login forms, I used certbot to obtain a certificate for my domain (thebestplace.ovh). I didn’t have any problem at this time.

Some days later, I wanted to try to install a mail server. So, I create a subdomain (mail.thebestplace.ovh) to access to my new webmail. Firefox told me that the server uses an invalid certificate. I used again certbot to obtain a new certificate for my subdomain, but I can’t obtain it successfully. Running sudo certbot --apache -d mail.thebestplace.ovh, I get this error message :

Failed authorization procedure. mail.thebestplace.ovh (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested effc8276d579a665b63f77f3e929e2b8.519dcb4a61bf3ad4082269cd49d6af63.acme.invalid from 109.25.226.10:443. Received 2 certificate(s), first certificate had names "thebestplace.ovh"

and tells me :
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.

The DNS record is correct (it’s the same IP for the domain and the subdomain)

Google has a lot of references on this kind of errors, but I wasn’t able to fix the problem by myself (as my knowledge is very basic)

I saw while googling for a fix that virtual hosts could be the problem. Here are my sites-enabled files. I don’t really know if they are corrects.

000-default.conf

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	RewriteEngine on
	RewriteCond %{SERVER_NAME} =t
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

thebestplace.ovh.conf :

<VirtualHost 192.168.1.254:80>
	ServerName www.thebestplace.ovh
	ServerAlias thebestplace.ovh

	Redirect / https://thebestplace.ovh/
</VirtualHost>

<VirtualHost 192.168.1.254:443>
		
	ServerName thebestplace.ovh
	ServerAlias www.thebestplace.ovh
	ServerAdmin ***********
	DocumentRoot /var/www/html

	<Directory /var/www/html>
 		Options Indexes FollowSymLinks MultiViews
 		AllowOverride None
	</Directory>

	SSLCertificateFile /etc/letsencrypt/live/thebestplace.ovh/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/thebestplace.ovh/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
	
</VirtualHost>

<VirtualHost  192.168.1.254:80>
	ServerName mail.thebestplace.ovh
	ServerAlias www.mail.thebestplace.ovh

	Redirect / https://mail.thebestplace.ovh/ 
</VirtualHost>

<VirtualHost  192.168.1.254:443>
	
	ServerName mail.thebestplace.ovh
	ServerAlias www.mail.thebestplace.ovh
	ServerAdmin ************
    DocumentRoot /var/www/html/webmail
    
	<Directory /var/www/html/webmail/>
	        AllowOverride All
	</Directory>

    BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

My domain is: thebestplace.ovh
My operating system is (include version): debian jessie
My web server is (include version): apache 2.4.10
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I probably made an obvious mistake, but I can’t find it. Any help would be much appreciated.
Thank you.

Certbot has been known to have problems dealing with multiple VirtualHosts in the same file (such as you have thebestplace.ovh and mail.thebestplace.ovh both in thebestplace.ovh.conf). I don’t know if that’s still the case with the latest version of Certbot but it’s certainly true of older versions. Moving the mail VirtualHost to a separate file might help.

Thank you for your reply.

I moved the mail.thebestplace.ovh virtual host in a new conf file. I enabled the new conf file, reloaded apache2, and tried to obtain a certificate for “mail” subdomain. Unfortunately, I got the same error message.

Hi @Jaypad,

Consider trying an auto-updated version of Certbot in place of your OS packaged version, because the Apache integration has had some bugs fixed over time.

Whether or not you do this, if you can post the logs from /var/log/letsencrypt, we might be able to find other clues about what is going wrong.

@schoen,
Here is the content of /var/log/letsencrypt/letsencrypt.log
I try the auto updated version of certbot and I come back.

2017-05-11 18:44:56,269:DEBUG:certbot.main:Root logging level set at 20
2017-05-11 18:44:56,271:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-05-11 18:44:56,274:DEBUG:certbot.main:certbot version: 0.10.2
2017-05-11 18:44:56,274:DEBUG:certbot.main:Arguments: ['--apache', '-d', 'mail.thebestplace.ovh']
2017-05-11 18:44:56,276:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-05-11 18:44:56,277:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2017-05-11 18:44:57,278:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0xb720796c>
Prep: True
2017-05-11 18:44:57,281:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.configurator.ApacheConfigurator object at 0xb720796c> and installer <certbot_apache.configurator.ApacheConfigurator object at 0xb720796c>
2017-05-11 18:44:57,732:DEBUG:certbot.main:Picked account: <Account(e5bf348ab3ec11be703f8a148ed49800)>
2017-05-11 18:44:57,738:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-05-11 18:44:57,745:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-05-11 18:44:58,223:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 352
2017-05-11 18:44:58,225:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: 1bWZzRyr7QxPKzAlBir_XILOsqDC3KHrcXMfbM02Yds
Replay-Nonce: GIMt6oem_WSTNROcOUs9nRp5hQ5DxriY2XBJfhROMDU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 May 2017 18:44:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 May 2017 18:44:54 GMT
Connection: keep-alive

{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-05-11 18:44:58,231:INFO:certbot.main:Obtaining a new certificate
2017-05-11 18:44:58,232:DEBUG:root:Requesting fresh nonce
2017-05-11 18:44:58,232:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-05-11 18:44:58,511:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2017-05-11 18:44:58,513:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: F-lp7dejazVC8WerXH-7nklX0j7U1pXPXez_qfTmnyA
Replay-Nonce: 2ZTGtkG44AKADDsAPLZ7Ig_A3HVAHJQiAtOo4dM6vh0
Expires: Thu, 11 May 2017 18:44:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 May 2017 18:44:54 GMT
Connection: keep-alive


2017-05-11 18:44:58,513:DEBUG:acme.client:Storing nonce: 2ZTGtkG44AKADDsAPLZ7Ig_A3HVAHJQiAtOo4dM6vh0
2017-05-11 18:44:58,516:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "mail.thebestplace.ovh"
  }, 
  "resource": "new-authz"
}
2017-05-11 18:44:58,536:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "1T3gaND00JUaZUzByRj5N926Zdgi-woJgigmPLrSYE720zcG_8VVfxobLdeBkQ-OIIfwjND4Q91bD8n1UsGZz6Du-ukkoe3aCrvrw5rB0A3eCkRcTPRINBZcLkhgCClMVwSDXOQ5fjA0DaW_6c5TWcdzxm3AAt8V_XjX_d0cWV54KWhTUxc4BMxjvy9PBraD0JLl-zwBtUog380vuYUUuVe-cs2voOYdZp4vmsMKPhcow4ssR0FvyCMJUhQstn9tI6Sor-GdZKsziRjfohpR2lC_pQE_dQgkzD0z77NN5zzPsL8JA2tagInJrTuexqMfIRZlIX6HNbeYfExxkziquw"
    }
  }, 
  "protected": "eyJub25jZSI6ICIyWlRHdGtHNDRBS0FERHNBUExaN0lnX0EzSFZBSEpRaUF0T280ZE02dmgwIn0", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAibWFpbC50aGViZXN0cGxhY2Uub3ZoIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0", 
  "signature": "WoXTpJFoUE31PrgNAfru5k0CpfwfWnMuA1pW0DbPqp4fUFhXB6YUDPjiFz_ulOcnDTQ6LeBZg44afu6oCAPWM-ACfNQH76iBzhTvdDfhm6tUmJ53S2RFzMTsAIPtHeChVc4kzpFqTRIFaqTtbx4fQcAXMfNZyH2t5Uiv1utLTJBx40U9096L18-SfsX5ugh5ItFvRQc1yoVa_HdZ6TSV_N3QrCsn4LMNKt35STSm5aYXVK8PZFnKhbOLKJcQsC_etbBWLJPJb9NRZySHmXaXmfIALG8fFQJqTsniYZf_rRKhvka0WAj1dtitPaR4Q-v9M_Nh3AoNeymSC9hVLSXpVw"
}
2017-05-11 18:44:59,018:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1009
2017-05-11 18:44:59,020:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1009
Boulder-Request-Id: 9waViuadzuY3h4PkVYDQrrwXIr27-RdnCYl04hv8vnM
Boulder-Requester: 14108585
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU
Replay-Nonce: I6Z2rq5XmXv_hIXPwJbnWqXFT2Ye6FlM6qFqOv9aDEI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 May 2017 18:44:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 May 2017 18:44:55 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "mail.thebestplace.ovh"
  },
  "status": "pending",
  "expires": "2017-05-18T18:44:55.239743072Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494904",
      "token": "OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494905",
      "token": "8uLakEmvO34ffF6pJERFkosX88pMqy9aqsR2T9ZPfyo"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494906",
      "token": "Ea5HjZcSd7yZmyIqy3AlHeBGRasjWyfIb-h1NGiyp1M"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      2
    ],
    [
      0
    ]
  ]
}
2017-05-11 18:44:59,020:DEBUG:acme.client:Storing nonce: I6Z2rq5XmXv_hIXPwJbnWqXFT2Ye6FlM6qFqOv9aDEI
2017-05-11 18:44:59,023:INFO:certbot.auth_handler:Performing the following challenges:
2017-05-11 18:44:59,024:INFO:certbot.auth_handler:tls-sni-01 challenge for mail.thebestplace.ovh
2017-05-11 18:45:00,240:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2017-05-11 18:45:00,242:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:
 <IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName 2d9485f9b6a57689605d10fd35433fcb.ab88c63566760027f5417fd4d032fc69.acme.invalid
    UseCanonicalName on
    SSLStrictSNIVHostCheck on

    LimitRequestBody 1048576

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /var/lib/letsencrypt/OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo.crt
    SSLCertificateKeyFile /var/lib/letsencrypt/OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo.pem

    DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/
</VirtualHost>

</IfModule>

2017-05-11 18:45:00,302:DEBUG:certbot.reverter:Creating backup of /etc/apache2/apache2.conf
2017-05-11 18:45:03,722:INFO:certbot.auth_handler:Waiting for verification...
2017-05-11 18:45:03,723:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo.toR2333-OiMJaHacIxHHz3ujGr_tDdrEM5jOR_UeNjQ", 
  "type": "tls-sni-01", 
  "resource": "challenge"
}
2017-05-11 18:45:03,742:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494904:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "1T3gaND00JUaZUzByRj5N926Zdgi-woJgigmPLrSYE720zcG_8VVfxobLdeBkQ-OIIfwjND4Q91bD8n1UsGZz6Du-ukkoe3aCrvrw5rB0A3eCkRcTPRINBZcLkhgCClMVwSDXOQ5fjA0DaW_6c5TWcdzxm3AAt8V_XjX_d0cWV54KWhTUxc4BMxjvy9PBraD0JLl-zwBtUog380vuYUUuVe-cs2voOYdZp4vmsMKPhcow4ssR0FvyCMJUhQstn9tI6Sor-GdZKsziRjfohpR2lC_pQE_dQgkzD0z77NN5zzPsL8JA2tagInJrTuexqMfIRZlIX6HNbeYfExxkziquw"
    }
  }, 
  "protected": "eyJub25jZSI6ICJJNloycnE1WG1Ydl9oSVhQd0pibldxWEZUMlllNkZsTTZxRnFPdjlhREVJIn0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIk94UUlFM3VYbnMwV1d6UFpvc3pmOEdSV29Bbmp0WWpHaEpIbVFRRHhCbW8udG9SMjMzMy1PaU1KYUhhY0l4SEh6M3VqR3JfdERkckVNNWpPUl9VZU5qUSIsIAogICJ0eXBlIjogInRscy1zbmktMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "Scffkld08aapteyFXsnJ8aS0_pVZAJ52TEkahgLKJAd-yI2LxxMiMZ4FTD-7u7N97dPrZYZVz87dBszYrxImFAHwHRWUjodnnuu_nU98fqms_YRKnoe-RFK1YzXSuLaB9d3GlTcRZifwa-M1jQ7LjF0R4B0zOr1z5yx1yNDo_VQKnn7Qnm6ydkLiFTsp1Li2uCHTm95TTNTK2CwIGdg6bY1nTaVAH2wYTPDiwApQi6T0GI_twjpN1WUp64-cqYXzMtcIo69v47WpnNjzoQjJ1OS0JduzXwgEcRM_pcn73LzP_1a8xlzJcB02v-wPli0FjkVhJdIXf5GySVnpbukK4A"
}
2017-05-11 18:45:04,006:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494904 HTTP/1.1" 202 339
2017-05-11 18:45:04,009:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 339
Boulder-Request-Id: qK5KIaeDv51YZEWz9645Al0ZTQZqTDaAMRfRHV3xVaI
Boulder-Requester: 14108585
Link: <https://acme-v01.api.letsencrypt.org/acme/authz/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU>;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494904
Replay-Nonce: z_pGyDOZB2rS2C0KIJrqnlSgl_uRQExmvwi68cliiLE
Expires: Thu, 11 May 2017 18:45:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 May 2017 18:45:00 GMT
Connection: keep-alive

{
  "type": "tls-sni-01",
  "status": "pending",
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494904",
  "token": "OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo",
  "keyAuthorization": "OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo.toR2333-OiMJaHacIxHHz3ujGr_tDdrEM5jOR_UeNjQ"
}
2017-05-11 18:45:04,009:DEBUG:acme.client:Storing nonce: z_pGyDOZB2rS2C0KIJrqnlSgl_uRQExmvwi68cliiLE
2017-05-11 18:45:07,013:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU.
2017-05-11 18:45:07,600:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU HTTP/1.1" 200 1603
2017-05-11 18:45:07,602:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1603
Boulder-Request-Id: 1ClB3-fdIFGwvKBDKlMbJy6lDBLkl77lzXhl9qQD73Q
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: F7EiV_rVDkaV2bPcApUutTYYDdAQkZhKjLnm5ONAxIA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 May 2017 18:45:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 May 2017 18:45:03 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "mail.thebestplace.ovh"
  },
  "status": "invalid",
  "expires": "2017-05-18T18:44:55Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:malformed",
        "detail": "Failed to connect to 109.25.226.10:443 for tls-sni-01 challenge: Server only speaks HTTP, not TLS",
        "status": 400
      },
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494904",
      "token": "OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo",
      "keyAuthorization": "OxQIE3uXns0WWzPZoszf8GRWoAnjtYjGhJHmQQDxBmo.toR2333-OiMJaHacIxHHz3ujGr_tDdrEM5jOR_UeNjQ",
      "validationRecord": [
        {
          "hostname": "mail.thebestplace.ovh",
          "port": "443",
          "addressesResolved": [
            "109.25.226.10"
          ],
          "addressUsed": "109.25.226.10",
          "addressesTried": []
        }
      ]
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494905",
      "token": "8uLakEmvO34ffF6pJERFkosX88pMqy9aqsR2T9ZPfyo"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TjAvc1p938UJSViOv0-4DsOeRq0myNEr3XhxadmENrU/1160494906",
      "token": "Ea5HjZcSd7yZmyIqy3AlHeBGRasjWyfIb-h1NGiyp1M"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      2
    ],
    [
      0
    ]
  ]
}
2017-05-11 18:45:07,606:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: mail.thebestplace.ovh
Type:   malformed
Detail: Failed to connect to 109.25.226.10:443 for tls-sni-01 challenge: Server only speaks HTTP, not TLS

To fix these errors, please make sure that you did not provide any invalid information to the client, and try running Certbot again.
2017-05-11 18:45:07,607:INFO:certbot.auth_handler:Cleaning up challenges
2017-05-11 18:45:08,324:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 575, in run
    action, lineage = _auth_from_available(le_client, config, domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. mail.thebestplace.ovh (tls-sni-01): urn:acme:error:malformed :: The request message was malformed :: Failed to connect to 109.25.226.10:443 for tls-sni-01 challenge: Server only speaks HTTP, not TLS

@schoen

I downloaded certbot-auto. I didn’t know what to do with it, so I ran sudo certbot-auto --apache -d mail.thebestplace.ovh. After the install of a lot of new packages, the error message has changed:

Failed authorization procedure. mail.thebestplace.ovh (tls-sni-01): urn:acme:error:malformed :: The request message was malformed :: Failed to connect to 109.25.226.10:443 for tls-sni-01 challenge: Server only speaks HTTP, not TLS

I don’t understand why the server only speak http. I just have split my conf files to have a virtual host by conf file.

This is in fact true on your web site right now! https://thebestplace.ovh/ fails for this reason while http://thebestplace.ovh:443/ works. (http://thebestplace.ovh/ works but then redirects to https://thebestplace.ovh/, which fails.) That is a server misconfiguration probably not directly caused by Certbot.

So, if I understand correctly, I have a problem with my virtual hosts. It doesn’t work since I have splitten my conf file in two separate files.

I will revert my conf files like they were in the first post (access to https://thebestplace.ovh was working), and I will tell you if the update of certbot has changed something.

I went back to my previous configuration of virtual hosts (like in first post). https://thebestplace.ovh works fine. https://mail.thebestplace.ovh show a certificate error.

I run sudo ./certbot-auto --apache -d mail.thebestplace.ovh, and it works ! The certificate is created. I had this error Cannot find a cert or key directive in /files/etc/apache2/sites-available/thebestplace.ovh.conf/VirtualHost[4]. VirtualHost was not modified, but I modified my virtual host to link to the “mail” certificate, and mail subdomain now works fine.

So the solutions was to use certbot-auto rather than certbot to generate the certificate, like @schoen says.

Thank you for the time you spent on my problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.