Renew error: Incorrect validation certificate for tls-sni-01 challenge. Received 2 certificate(s), first certificate had names "biszumbitterenen.de"


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
biszumbitterenen.de

I ran this command:
certbot -q renew
–force-renewal
–tls-sni-01-port=8888

It produced this output:
Incorrect validation certificate for tls-sni-01 challenge. Requested fc5f879919219332cd8395e363622cfa.23d9092c0b3cfa776c5728418bce4822.acme.invalid from 78.94.230.158:443. Received 2 certificate(s), first certificate had names “biszumbitterenen.de

My web server is (include version):
HA-Proxy version 1.7.9 2017/08/18

The operating system my web server runs on is (include version):
Alpine Linux 3.7

My hosting provider, if applicable, is:
n/a

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
n/a

I want to renew any of my domains, e.g. www.biszumbitterenen.de, mail.biszumbitterenen.de.
Every single domain has an DNS A/AAAA record pointing to the same IP.
I have only 1 static IP and therefore I use a reverse proxy (HAProxy) to access any subdomain.

I was not expecting an error with renew considering this setup because creation finished w/o errors.

Any advice for solving this error is appreciated.

THX


#2

This tells Certbot to answer the TLS-SNI challenge on port 8888, but Let’s Encrypt will try to validate that challenge on port 443, so the validation will fail. You should remove this flag. That may result in a permission denied error if HAProxy is already listening on that port. There are various options to address that, but while you’re here you should read this: IMPORTANT: What you need to know about TLS-SNI validation issues.

My recommendation is that as long as your spending some time updating your config, you should update it to work with the HTTP-01 or DNS-01 challenge.


#3

Im using the same option when creating certificates.
I don’t understand why this fails when renewing certificates.

There’s a good guide explaining this.


#4

Unfortunately the section of the guide regarding renewal seems to be inaccurate.

If you obtained the certificates originally using this guide, then I think you should be able to renew them with something like

certbot renew --preferred-challenges http-01


#5

I also don’t agree with the suggestion to use --force-renewal and only run once a month. The more usual process of running certbot renew twice a day is intended to allow the automated renewals to recover from any temporary failures.

However, if you want to do that, I’d recommend a few other changes as well.

I would create a script like the following and make it executable:

#!/usr/bin/env bash

# Concatenate cert and key to the specified file:
(umask 077; cat "$RENEWED_LINEAGE/fullchain.pem" "$RENEWED_LINEAGE/privkey.pem" > "$1")

# Reload  HAProxy
service haproxy reload

Let’s say you save that as /usr/local/bin/haproxy-deploy.sh. Then run the certbot certonly command again to renew each certificate individually and change its renewal parameters:

sudo certbot certonly --standalone -d example.com \
  --preferred-challenges http-01 --http-01-port=8888 \
  --deploy-hook "/usr/local/bin/haproxy-deploy.sh /etc/ssl/example.com/example.com.pem"

replacing the path to the pem file with the one you’re actually using in haproxy.

Once you’ve successfully renewed your certs once with that command, a simple certbot renew should suffice in the future, and you can safely let certbot’s default twice-daily cron job or systemd timer handle it.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.