I use LE for some time already. I ran renew in february without any issue. I have not performed any apache / DNS changes for a year. Though when I ran renew yesterday it fails:
./letsencrypt-auto --version
certbot 0.13.0
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for lelimath.net
tls-sni-01 challenge for www.lelimath.net
tls-sni-01 challenge for literak.cz
tls-sni-01 challenge for www.literak.cz
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.literak.cz (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 44f32dbd205fa69ebcd617f28b80dfed.8c8afba300d3c2df25b201c53ea70f18.acme.invalid from 77.93.206.243:443. Received 2 certificate(s), first certificate had names “lelimath.net, literak.cz, www.lelimath.net, www.literak.cz”
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: www.literak.cz
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested cd617f28b80dfed.8c8afba300d3c2df25b201c53ea70f18.acme.invalid
from 77.93.206.243:443. Received 2 certificate(s), first
certificate had names “lelimath.net, literak.cz, www.lelimath.net,
www.literak.cz”
I checked that all domains have A record matching my IP address.
I have googled this topic but most questions have no solution. Some state that multiple vhosts are not supported. But I was using LE successfully and there was no change in my systeme except downloading fresh certbot client.
2017-02-05 12:55:30,362:DEBUG:certbot.main:certbot version: 0.11.1
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x7f900be26610>
2017-02-05 12:55:32,728:INFO:certbot.auth_handler:Performing the following challenges:
2017-02-05 12:55:32,728:INFO:certbot.auth_handler:tls-sni-01 challenge for www.lelimath.net
2017-02-05 12:55:32,728:INFO:certbot.auth_handler:tls-sni-01 challenge for lelimath.net
2017-02-05 12:55:32,729:INFO:certbot.auth_handler:tls-sni-01 challenge for literak.cz
2017-02-05 12:55:32,729:INFO:certbot.auth_handler:tls-sni-01 challenge for www.literak.cz
2017-02-05 12:55:34,095:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2017-02-05 12:55:34,096:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:
2017-02-05 12:55:37,389:INFO:certbot.auth_handler:Waiting for verification…
2017-02-05 12:55:42,026:INFO:certbot.auth_handler:Cleaning up challenges
2017-02-05 12:55:42,668:INFO:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
2017-02-05 12:55:43,186:DEBUG:certbot.storage:Writing new private key to /etc/letsencrypt/archive/www.literak.cz/privkey5.pem.
2017-02-05 12:55:43,186:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/archive/www.literak.cz/cert5.pem.
2017-02-05 12:55:43,186:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/archive/www.literak.cz/chain5.pem.
2017-02-05 12:55:43,186:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/archive/www.literak.cz/fullchain5.pem.
2017-02-05 12:55:45,620:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/www.literak.cz.conf.new.
2017-02-05 12:55:45,867:DEBUG:certbot.renewal:no renewal failures
But today:
2017-04-17 08:24:07,761:DEBUG:certbot.main:certbot version: 0.13.0
2017-04-17 08:24:07,873:DEBUG:certbot_apache.configurator:Apache version is 2.4.10
2017-04-17 08:24:08,423:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
2017-04-17 08:24:34,942:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2017-04-17 08:24:34,943:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:
<VirtualHost 77.93.206.243:443>
Domain: www.literak.cz
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested .8c8afba300d3c2df25b201c53ea70f18.acme.invalid from 77.93.206.243:4
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 755, in main
return config.func(config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 597, in run
certname, lineage)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 77, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py”, line 296, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 285, in obtain_certificate
self.config.allow_subset_of_names)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 81, in get_authorizations
FailedChallenges: Failed authorization procedure. www.literak.cz (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation
I can provide complete logs and apache configuration. Is there anything sensitive in the logs?