Renew fails due to incorrect validation (IP/DNS Issue?)


I am using LE for a Nextcloud installation on my NAS at home. As dynamic DNS Service I am using After setting up my nextcloud I obtained a LE cert. Now it is due to renewal, so I ran letsencrypt renew on my machine. Unfortunately my renewal fails due to an error I don’t understand:

The following errors were reported by the server:

Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
from MYISPIP:443. Received 2 certificate(s), first
certificate had names “

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

The DNS record for the domain contains the correct IP (MYISPIP) and the certificate should indeed have the name in it or am I wrong? It might be a problem that I also have nginx running (for the NAS admin panel) but I have the same error when stopping nginx.

Any more ideas?

Kind regards

The DNS probably isn’t the issue here, but we can’t tell since you obfuscated your domain name. You’re still using the tls-sni-01 challenge type, which was deprecated for security concerns but is still available for renewals of existing certificates. It will eventually be fully disabled, though, so you should consider re-configuring your system to use http-01 or dns-01 instead at some point.

However, for the immediacy, the way tls-sni-01 works is by attempting to configure your web server to serve a specific fake certificate in response to a specific SNI request. For the challenge, it should be seeing an _acme-invalid certificate, but rather is seeing your real certificate. If something else is terminating SSL before it gets to your server, that could cause this issue.

Honestly, though, if I were you I’d get ahead of things and start transitioning your server to use http-01 instead. Since you didn’t answer the questions, I don’t really have any more info on exactly how to go about that.

1 Like

Good point about the security issues. Thank you!

I will remove the cert and reconfigure my server.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.