IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.paulbeard.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
08175ba7a90cf7c6383b718dcd515e20.26c75cf64cc1ae7c029e7e8f3130d55c.acme.invalid
from 73.225.76.58:443. Received 2 certificate(s), first certificate
had names "cloud.paulbeard.org, paulbeard.org, www.paulbeard.org"
Domain: cloud.paulbeard.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
45bf74bdca64a305975a75e4bd48c788.eff6ed0ad95ae8bec52ccfd3edc69b43.acme.invalid
from 73.225.76.58:443. Received 2 certificate(s), first certificate
had names "cloud.paulbeard.org, paulbeard.org, www.paulbeard.org"
Domain: paulbeard.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
7369f2dd7e09e7d5d31c6dec79894b89.291e4b2ea69102035ebce2988c5d1acd.acme.invalid
from 73.225.76.58:443. Received 2 certificate(s), first certificate
had names "cloud.paulbeard.org, paulbeard.org, www.paulbeard.org"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
This is what dig knows:
dig www.paulbeard.org any
; <<>> DiG 9.8.7 <<>> www.paulbeard.org any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28484
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.paulbeard.org. IN ANY
;; ANSWER SECTION:
www.paulbeard.org. 300 IN AAAA 2001:470:b:839:a00:27ff:fe5c:8bcb
www.paulbeard.org. 300 IN A 73.225.76.58
;; Query time: 323 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Mon Jan 01 17:44:35 PST 2018
;; MSG SIZE rcvd: 79
I’ve split this post into a new thread; the root cause is probably not exactly the same, so it’s easier to work on it separately.
Could you fill out the information below?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Hm… How is that set up? Certbot is using the standalone authenticator, which means it listens on port 443 (by default), but Nginx is already listening on port 443. It should fail with an error or something.
Related, I’m not sure the standalone plugin works well on IPv6, especially if it’s an older version of Certbot, especially on FreeBSD. But it might be fine.
Bah. Looks like it works. It fails on the dry-run when it can’t use port 443. If I kill nginx, then run it, it works fine.
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for paulbeard.org
tls-sni-01 challenge for cloud.paulbeard.org
tls-sni-01 challenge for www.paulbeard.org
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)