Received 1 certificate(s), first certificate had names "localhost"

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: clilime.com

I ran this command: certbot --staging --standalone certonly --preferred-challenges tls-sni

It produced this output: certbot --staging --standalone certonly --preferred-challenges tls-sni
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel):clilime.com www.clilime.com
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for clilime.com
tls-sni-01 challenge for www.clilime.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. clilime.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b07a3135a202151914d59a27c6edc309.d789997d2571422fd76871be986d0c9f.acme.invalid from 130.204.138.26:443. Received 1 certificate(s), first certificate had names “localhost”, www.clilime.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b80be39318dd965cd7a08757e4705c1f.2a865c01005741f503940416d08cca2f.acme.invalid from 130.204.138.26:443. Received 1 certificate(s), first certificate had names “localhost”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: clilime.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    b07a3135a202151914d59a27c6edc309.d789997d2571422fd76871be986d0c9f.acme.invalid
    from 130.204.138.26:443. Received 1 certificate(s), first
    certificate had names “localhost”

    Domain: www.clilime.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    b80be39318dd965cd7a08757e4705c1f.2a865c01005741f503940416d08cca2f.acme.invalid
    from 130.204.138.26:443. Received 1 certificate(s), first
    certificate had names “localhost”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): No web server, hence the the standalone and certonly. It’s meant for an app server.

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don’t know): yes, running with root from virtual machine

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @hr_sto

You should double check it because you have a WildFly Server listening on ports 80 & 443.

$ curl -IkL http://clilime.com
HTTP/1.1 200 OK
Connection: keep-alive
X-Powered-By: Undertow/1
Set-Cookie: JSESSIONID="A0r_hsHujrAoIxo8vFwVFSH1MMZKlDSGUl_20vr8.master:cms"; Version=1; Path=/
Server: WildFly/11
Content-Length: 606
Date: Tue, 17 Oct 2017 14:11:55 GMT

$ curl -IkL https://clilime.com
HTTP/2 200
x-powered-by: Undertow/1
set-cookie: JSESSIONID="rz2rmYmS2emdV7k65rl64axyqzuxhFCsDbJlWBIT.master:cms"; Version=1; Path=/
server: WildFly/11
content-length: 606
date: Tue, 17 Oct 2017 14:09:08 GMT

And yes, it is serving a self-signed certificate covering localhost domain:

$ echo | openssl s_client -connect clilime.com:443  -servername clilime.com
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
 0 s:/CN=localhost
   i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICqDCCAZKgAwIBAgIIJ84Rl1zjODswCwYJKoZIhvcNAQELMBQxEjAQBgNVBAMT
CWxvY2FsaG9zdDAiGA8yMDE3MTAxNzEyMjMwNFoYDzIwMjcxMDE1MTIyMzA0WjAU
MRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCep+7huzH3DU/pZWn0DuPyCy19jUN+ruSVqvvm0YzqAksKJ/9cn5jSwzKj
1GWI0CyRN2fSldji/tuXmIwkCSfOwKBZ+066nzQREhI/MS+xLJhJ4MMr+tXhTYYU
bm+6k0/PC2vIuVKqmlfD0NEcqk/JNICdy4zs/gOZsugMozK2BgwJ47hT35gwi+ms
NP9PAnv1f145/ZA+7071Oh1uqri09tifxMF4tcRFJGRFY4mgkajBHoXLLUTMaVg6
0+V/dpgLOgt85j/YmryI2WQDw1+Jyg+SmAobpIgN6QRFq7gofg9QV/1PP6Ll9yBT
EdiMnw+W6Db6NuM7qbpEpUsxi1ePAgMBAAEwCwYJKoZIhvcNAQELA4IBAQCHCS+G
EUYOoGzBt/AVYTL9BqVvsv/B6mHSy79cKU8Sg7RO3EQRdovCY9TgWzn2fCkTY9ow
O4W3hPS/obWceMFTjkXrzEtP1Dgl9ZPz40P8HGNZPuiUariu5P1NYMejqYxx3l4E
zt02UFHvcgDT/pDWxqIKvYW9RVBf/VSzqqcSX2KRxw949Q9k+A7VgS+CpNm9O4pr
KXOJ7HrkRG0H9SNQunqi7np8eU6A/VXWbozYKOIGdcmqCdJn1oUHiQeZ0bAtzfQ8
TknQermFT2u7LHjHjyWZ4209Qt7Kwxle1ZcYk1jtfkQZcGe9Nj/5VlBK2T/Ylbzb
S2GZC7SGuwCAHc1v
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1168 bytes and written 322 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 59E60F31D8988364E9921D6C73B01234C277BB5838F35C0A9DCE49C26345A7E5
    Session-ID-ctx:
    Master-Key: DC898649BDE3256E2C88615618B0B63F7E6D2EB6E182DE1D73E23FC6B9EEC18D715F6CED6D01D9B1D1F757DAE3EA1F52
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1508249393
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---
DONE

So, certbot can't bind to port 443 to server TLS-SNI-01 challenge because WildFly is already listening on this port. If you want to use standalone mode you should stop WildFly server first.

Cheers,
sahsanu

Kill me via Crucifixion now. Yeah, wildfly and the port redirections were the problem. Why i couldn’t see that?

OK, thank you very much.

1 Like

Thank you for using staging to break in your systems :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.