Problem with renewal: Incorrect validation certificate for tls-sni-01 challenge

#1

Also having a problem with renewal:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.paulbeard.org
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   08175ba7a90cf7c6383b718dcd515e20.26c75cf64cc1ae7c029e7e8f3130d55c.acme.invalid
   from 73.225.76.58:443. Received 2 certificate(s), first certificate
   had names "cloud.paulbeard.org, paulbeard.org, www.paulbeard.org"

   Domain: cloud.paulbeard.org
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   45bf74bdca64a305975a75e4bd48c788.eff6ed0ad95ae8bec52ccfd3edc69b43.acme.invalid
   from 73.225.76.58:443. Received 2 certificate(s), first certificate
   had names "cloud.paulbeard.org, paulbeard.org, www.paulbeard.org"

   Domain: paulbeard.org
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   7369f2dd7e09e7d5d31c6dec79894b89.291e4b2ea69102035ebce2988c5d1acd.acme.invalid
   from 73.225.76.58:443. Received 2 certificate(s), first certificate
   had names "cloud.paulbeard.org, paulbeard.org, www.paulbeard.org"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

This is what dig knows:

dig www.paulbeard.org any 

; <<>> DiG 9.8.7 <<>> www.paulbeard.org any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28484
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.paulbeard.org.             IN      ANY

;; ANSWER SECTION:
www.paulbeard.org.      300     IN      AAAA    2001:470:b:839:a00:27ff:fe5c:8bcb
www.paulbeard.org.      300     IN      A       73.225.76.58

;; Query time: 323 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Mon Jan 01 17:44:35 PST 2018
;; MSG SIZE  rcvd: 79
Error while trying to renew certs
#2

Hi,

I’ve split this post into a new thread; the root cause is probably not exactly the same, so it’s easier to work on it separately. :slightly_smiling_face:

Could you fill out the information below?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

#3

No problem: I was wary of starting a new thread.

#4

Hm… How is that set up? Certbot is using the standalone authenticator, which means it listens on port 443 (by default), but Nginx is already listening on port 443. It should fail with an error or something.

Related, I’m not sure the standalone plugin works well on IPv6, especially if it’s an older version of Certbot, especially on FreeBSD. But it might be fine.

#5

I don’t know if IPv6 is the problem. I did verify that there are AAAA records but it’s not like it works and I can’t be bothered to figure it out.

certbot should be up to date. the nginx plugin isn’t there yet but the standalone version has worked for quite some time.

I wrap it in a script:

more /usr/local/bin/certbot.sh
#!/usr/local/bin/bash
export INTERVAL=/usr/bin/jot -r 1 1 3599
logger "certbot sleeping $INTERVAL seconds"
sleep $INTERVAL
/usr/sbin/service nginx stop
/usr/local/bin/certbot renew
/usr/sbin/service nginx start
logger “certbot renewal complete”

#6

Bah. Looks like it works. It fails on the dry-run when it can’t use port 443. If I kill nginx, then run it, it works fine.

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for paulbeard.org
tls-sni-01 challenge for cloud.paulbeard.org
tls-sni-01 challenge for www.paulbeard.org
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.