Renew fail, tls-sni-01 challenge, How do fix?

certbot-auto renew is fail.
https://115.68.27.104:443 is well working.
what is problem? how to fix this problem?

log is below:

root@ubuntu:/home/ash84# ./certbot-auto --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: ash84.net

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for ash84.net
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. ash84.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 1a2ad416196e61a755462be530666190.983a48b7f372cb1fd6c0e4ca4ab863f1.acme.invalid from 115.68.27.104:443. Received 2 certificate(s), first certificate had names “ash84.net

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: ash84.net
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    1a2ad416196e61a755462be530666190.983a48b7f372cb1fd6c0e4ca4ab863f1.acme.invalid
    from 115.68.27.104:443. Received 2 certificate(s), first
    certificate had names “ash84.net

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.


Not sure what the problem is - you might try upgrading the certbot client.
And since http is also allowed to your site, you might want to try
certbot-auto --webroot /path/to/your/web/files
instead of
certbot-auto --nginx.

Hi @AhnSeongHyun,

Do you know what command you originally used to obtain this certificate? Did you try ./certbot-auto renew for it?

Unfortunately, I don’t think that will help in this case because certbot-auto does so automatically every time that it’s run, differently from OS-packaged versions of Certbot.

renew command raise error about binding 443 port.

but https://115.68.27.104:443 is working.

root@ubuntu:/home/ash84# ./certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/ash84.net.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for ash84.net
Cleaning up challenges
Attempting to renew cert (ash84.net) from /etc/letsencrypt/renewal/ash84.net.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6… Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ash84.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

Try:
certbot renew --pre-hook “service nginx stop” --post-hook “service nginx start”

@AhnSeongHyun, as I think @rg305 just deduced, it sounds like you use --standalone when you originally obtained the certificate! Do you know if you did that, and, if so, how you chose that method?

Could you please post the contents of the file /etc/letsencrypt/renewal/ash84.net.conf?

# renew_before_expiry = 30 days version = 0.13.0 cert = /etc/letsencrypt/live/ash84.net/cert.pem privkey = /etc/letsencrypt/live/ash84.net/privkey.pem chain = /etc/letsencrypt/live/ash84.net/chain.pem fullchain = /etc/letsencrypt/live/ash84.net/fullchain.pem archive_dir = /etc/letsencrypt/archive/ash84.net

#Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = 23c6261f42d37b9ac301ae5174906045

Thanks for posting it!

So, I would like to know how you chose to use --standalone. I don’t think it’s usually the best choice for most users.

@rg305 is right that you need to use something right

certbot renew --pre-hook “service nginx stop” --post-hook “service nginx start”

if you want to renew using this authentication method, because it conflicts with a running nginx process, since it wants to independently take over the use of port 443.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.