Problem with certbot: Incorrect validation certificate for tls-sni-01 challenge


Hey everyone. I’m having a bit of trouble getting a certificate for one of my client’s domains… I’ve managed to secure them with my other two domains, but this one is having trouble. I’m using nginx for it. I’ll include the details below.

My domain is:

I ran this command: sudo certbot --nginx -d -d

It produced this output: IMPORTANT NOTES:

  • The following errors were reported by the server:

    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    from [2604:a880:cad:d0::8dc:4001]:443. Received 2 certificate(s),
    first certificate had names “,,,

    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    from [2604:a880:cad:d0::8dc:4001]:443. Received 2 certificate(s),
    first certificate had names “,,,

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):nginx/1.10.3

The operating system my web server runs on is (include version):Ubuntu 16.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Additional notes: is one of my other domains, which has the certificate no problem. My server block for is here:

server {
listen 80;

root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;


location / {
    try_files $uri $uri/ =404;

location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;

location ~ /\.ht {
    deny all;



Hi @Uldrendan,

I’ve seen a slight increase in this error recently and I’m not really sure what could be causing it. Two relevant thoughts:

(1) What version of Certbot are you running? Is it recent?
(2) Is it possible that you have separate IPv6 and IPv4 server blocks anywhere in your configuration for the same hostname, rather than a single server block that listens in both IPv4 and IPv6?

  1. I think it’s the most recent… when I check it’s giving me 0.25.0 for Ubuntu 16.04.

  2. I’m a little new to web hosting, so I’m not sure. However, I’ve checked all my enabled and available server blocks and that’s the only one using that server name. I don’t know if it would be helpful to post the other server blocks that I have (they are not having any issues with their certificates though). Are there any logs I can add to the topic that might assist?


Sure, it would be great to see your nginx configuration and also the Certbot log from /var/log/letsencrypt.


Sure thing. My nginx.conf:

And my nginx.conf:
user www-data;
worker_processes auto;
pid /run/;

events {
worker_connections 768;
# multi_accept on;

http {

# Basic Settings

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# SSL Settings

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

# Logging Settings

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

# Gzip Settings

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

# Virtual Host Configs

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;


#mail {

# See sample authentication script at:


# auth_http localhost/auth.php;

# pop3_capabilities “TOP” “USER”;

# imap_capabilities “IMAP4rev1” “UIDPLUS”;

server {

listen localhost:110;

protocol pop3;

proxy on;


server {

listen localhost:143;

protocol imap;

proxy on;




Having trouble attaching files or just dumping the text, so I’ll link to letsencrypt.log



It looks fine to me though…

However, the thing I notice is you have IPV6 configured (and I use IPV6), but Nginx isn’t serving the right content to me via IPV6 (also no listening in v6 too)

Which might be the issue when certbot modify vHost…

Thank you


Huh, okay. Is that a configuration with nginx do you think?


Probably! Unfortunately you posted an incomplete version of your nginx configuration earlier so it’s hard to identify the exact mechanism of the problem.

You can use nginx -T to get a full dump of the config, including all includes.



Can you check if there’s a config that listen to 80?

(It’s not the nginx.conf, might be in a include folder)

Just add the following link to corresponding config pls.

Please add listen [::]:80; in the next line of listen 80;
Please add listen [::]:443; after line of listen 443;

Hope this will resolve the issue. :slight_smile:


Woops! My bad. Here is the dump from that command:



@stevenzhu is right. You should add in the server blocks for

listen [::]:80;
listen [::]:443;

so that the server blocks for match those of your other domains.

Once you’ve done that, reload nginx, and try renew:

certbot renew --cert-name --preferred-challenges http


Update, all working now. Thanks for the tip @stevenzhu