Problem with certbot: Incorrect validation certificate for tls-sni-01 challenge


#1

Hey everyone. I’m having a bit of trouble getting a certificate for one of my client’s domains… I’ve managed to secure them with my other two domains, but this one is having trouble. I’m using nginx for it. I’ll include the details below.

My domain is: irisfryer.com

I ran this command: sudo certbot --nginx -d irisfryer.com -d www.irisfryer.com

It produced this output: IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.irisfryer.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    134a61bf4750d83c14fb20dd3d8198a1.41723fa8afd0caf12b8ae2c20f91cf74.acme.invalid
    from [2604:a880:cad:d0::8dc:4001]:443. Received 2 certificate(s),
    first certificate had names “bearcloudgames.com,
    bearcloudstudios.com, www.bearcloudgames.com,
    www.bearcloudstudios.com

    Domain: irisfryer.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    e96ea38de9985fbbb6d587f16b27734b.e5e772b71887654504de0eedb3ff2236.acme.invalid
    from [2604:a880:cad:d0::8dc:4001]:443. Received 2 certificate(s),
    first certificate had names “bearcloudgames.com,
    bearcloudstudios.com, www.bearcloudgames.com,
    www.bearcloudstudios.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):nginx/1.10.3

The operating system my web server runs on is (include version):Ubuntu 16.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Additional notes: bearcloudgames.com is one of my other domains, which has the certificate no problem. My server block for irisfryer.com is here:

server {
listen 80;

root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;

server_name irisfryer.com www.irisfryer.com;

location / {
    try_files $uri $uri/ =404;
}

location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

location ~ /\.ht {
    deny all;
}

}


#2

Hi @Uldrendan,

I’ve seen a slight increase in this error recently and I’m not really sure what could be causing it. Two relevant thoughts:

(1) What version of Certbot are you running? Is it recent?
(2) Is it possible that you have separate IPv6 and IPv4 server blocks anywhere in your configuration for the same hostname, rather than a single server block that listens in both IPv4 and IPv6?


#3
  1. I think it’s the most recent… when I check it’s giving me 0.25.0 for Ubuntu 16.04.

  2. I’m a little new to web hosting, so I’m not sure. However, I’ve checked all my enabled and available server blocks and that’s the only one using that server name. I don’t know if it would be helpful to post the other server blocks that I have (they are not having any issues with their certificates though). Are there any logs I can add to the topic that might assist?


#4

Sure, it would be great to see your nginx configuration and also the Certbot log from /var/log/letsencrypt.


#5

Sure thing. My nginx.conf:

And my nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

}

#mail {

# See sample authentication script at:

# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript

# auth_http localhost/auth.php;

# pop3_capabilities “TOP” “USER”;

# imap_capabilities “IMAP4rev1” “UIDPLUS”;

server {

listen localhost:110;

protocol pop3;

proxy on;

}

server {

listen localhost:143;

protocol imap;

proxy on;

}

#}


#6

Having trouble attaching files or just dumping the text, so I’ll link to letsencrypt.log

https://dumptext.com/YY93YL6h


#7

Hi,

It looks fine to me though…

However, the thing I notice is you have IPV6 configured (and I use IPV6), but Nginx isn’t serving the right content to me via IPV6 (also no listening in v6 too)

Which might be the issue when certbot modify vHost…

Thank you


#8

Huh, okay. Is that a configuration with nginx do you think?


#9

Probably! Unfortunately you posted an incomplete version of your nginx configuration earlier so it’s hard to identify the exact mechanism of the problem.

You can use nginx -T to get a full dump of the config, including all includes.


#10

Hi,

Can you check if there’s a config that listen to 80?

(It’s not the nginx.conf, might be in a include folder)

Just add the following link to corresponding config pls.

Please add listen [::]:80; in the next line of listen 80;
Please add listen [::]:443; after line of listen 443;

Hope this will resolve the issue. :slight_smile:


#12

Woops! My bad. Here is the dump from that command:

https://dumptext.com/XaJq638E


#13

Thanks!

@stevenzhu is right. You should add in the server blocks for irisfryer.com:

listen [::]:80;
listen [::]:443;

so that the server blocks for irisfryer.com match those of your other domains.

Once you’ve done that, reload nginx, and try renew:

certbot renew --cert-name irisfryer.com --preferred-challenges http

#14

Update, all working now. Thanks for the tip @stevenzhu


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.