Renew failed with "Received 2 certificate(s)"


#1

I use LE for some time already. I ran renew in february without any issue. I have not performed any apache / DNS changes for a year. Though when I ran renew yesterday it fails:

./letsencrypt-auto --version
certbot 0.13.0

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for lelimath.net
tls-sni-01 challenge for www.lelimath.net
tls-sni-01 challenge for literak.cz
tls-sni-01 challenge for www.literak.cz
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.literak.cz (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 44f32dbd205fa69ebcd617f28b80dfed.8c8afba300d3c2df25b201c53ea70f18.acme.invalid from 77.93.206.243:443. Received 2 certificate(s), first certificate had names “lelimath.net, literak.cz, www.lelimath.net, www.literak.cz

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.literak.cz
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested cd617f28b80dfed.8c8afba300d3c2df25b201c53ea70f18.acme.invalid
    from 77.93.206.243:443. Received 2 certificate(s), first
    certificate had names “lelimath.net, literak.cz, www.lelimath.net,
    www.literak.cz

I checked that all domains have A record matching my IP address.

I have googled this topic but most questions have no solution. Some state that multiple vhosts are not supported. But I was using LE successfully and there was no change in my systeme except downloading fresh certbot client.

2017-02-05 12:55:30,362:DEBUG:certbot.main:certbot version: 0.11.1
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x7f900be26610>
2017-02-05 12:55:32,728:INFO:certbot.auth_handler:Performing the following challenges:
2017-02-05 12:55:32,728:INFO:certbot.auth_handler:tls-sni-01 challenge for www.lelimath.net
2017-02-05 12:55:32,728:INFO:certbot.auth_handler:tls-sni-01 challenge for lelimath.net
2017-02-05 12:55:32,729:INFO:certbot.auth_handler:tls-sni-01 challenge for literak.cz
2017-02-05 12:55:32,729:INFO:certbot.auth_handler:tls-sni-01 challenge for www.literak.cz
2017-02-05 12:55:34,095:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2017-02-05 12:55:34,096:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:
2017-02-05 12:55:37,389:INFO:certbot.auth_handler:Waiting for verification…
2017-02-05 12:55:42,026:INFO:certbot.auth_handler:Cleaning up challenges
2017-02-05 12:55:42,668:INFO:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
2017-02-05 12:55:43,186:DEBUG:certbot.storage:Writing new private key to /etc/letsencrypt/archive/www.literak.cz/privkey5.pem.
2017-02-05 12:55:43,186:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/archive/www.literak.cz/cert5.pem.
2017-02-05 12:55:43,186:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/archive/www.literak.cz/chain5.pem.
2017-02-05 12:55:43,186:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/archive/www.literak.cz/fullchain5.pem.
2017-02-05 12:55:45,620:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/www.literak.cz.conf.new.
2017-02-05 12:55:45,867:DEBUG:certbot.renewal:no renewal failures

But today:

2017-04-17 08:24:07,761:DEBUG:certbot.main:certbot version: 0.13.0
2017-04-17 08:24:07,873:DEBUG:certbot_apache.configurator:Apache version is 2.4.10
2017-04-17 08:24:08,423:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
2017-04-17 08:24:34,942:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2017-04-17 08:24:34,943:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:

<VirtualHost 77.93.206.243:443>

Domain: www.literak.cz
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested .8c8afba300d3c2df25b201c53ea70f18.acme.invalid from 77.93.206.243:4

Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 755, in main
return config.func(config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 597, in run
certname, lineage)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 77, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py”, line 296, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 285, in obtain_certificate
self.config.allow_subset_of_names)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 81, in get_authorizations
FailedChallenges: Failed authorization procedure. www.literak.cz (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation

I can provide complete logs and apache configuration. Is there anything sensitive in the logs?


#2

I tried webroot method and it finished successfully. I had to restart apache manually to take new certificate in effect.

./letsencrypt-auto certonly --webroot -w /var/www/wordpress/ -d www.literak.cz -w /var/www/wordpress/ -d literak.cz -w /usr/share/redmine/public -d www.lelimath.net -w /usr/share/redmine/public -d lelimath.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.literak.cz
http-01 challenge for literak.cz
http-01 challenge for www.lelimath.net
http-01 challenge for lelimath.net
Using the webroot path /usr/share/redmine/public for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0004_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0004_csr-certbot.pem

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.literak.cz/fullchain.pem. Your cert will expire on 2017-07-16. To obtain a new or tweaked version of this

#3

You can use --post-hook to execute a command after the client is done renewing the certificate.

Another option would be not to use certonly, but to specify the webroot plugin for authentication with -a webroot and use the apache plugin for installation with -i apache. The apache plugin will reload Apache automatically, so you won’t need to reload it with --post-hook.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.