Renew: Incorrect validation certificate for tls-sni-01 challenge


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: robjvargas.com

I ran this command: certbot --apache renew

It produced this output:


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/robjvargas.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.robjvargas.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    d56c13da53b01ca97849007fde3b17d7.48b1a8875361e1022c07959f1148ddbb.acme.invalid
    from 107.172.9.149:443. Received 1 certificate(s), first
    certificate had names “robjvargas.com, www.robjvargas.com

    Domain: robjvargas.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    8f9c98bd42448549b4c31116d9c03bc4.ab7d1c545a91270babe0e47ce5b6ac62.acme.invalid
    from 107.172.9.149:443. Received 1 certificate(s), first
    certificate had names “robjvargas.com, www.robjvargas.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Apache 2.4.6-80.el7

The operating system my web server runs on is (include version): CentOS Linux release 7.5.1804 (Core)

My hosting provider, if applicable, is: VPS: Hudson Valley Host

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Initial certificate issuance was successful. I ran several dry runs during the period, and they showed no errors. Now the cert is expired and it won’t renew. I tried this within the last ten days before expiration, and then got diverted.


#2

Hi,

TLS-SNI has been disabled for sursurity purpoese.

You might need to renew with those parameters:
sudo certbot renew --preferred-challenges http

Thank you


#3

The correct form is normally just certbot renew if you’re not intending to change the validation method, although that doesn’t explain the error that you saw.

Nonetheless, this error doesn’t directly relate to TLS-SNI-01 being disabled because the CA was willing to use it here. (Switching to HTTP-01 validation is still a good idea for the long term.)

Depending on your Certbot version, this might not have any effect because historically the Apache plugin only supported TLS-SNI-01 and not HTTP-01. See

for more information about that.

@RobJVargas, I would suggest following these instructions to switch to HTTP-01 validation even though it’s not strictly necessary for your renewal. Trying to debug the TLS-SNI-01 problem may not be worth it because of the deprecation of this validation method.


#4

Thank you, schoen. I totally missed the deprecation of the tls-sni challenge

certbot renew --preferred-challenges http

That worked for me. Perfect.

Side note that I won’t mess with, the solution you linked didn’t work for me.

certbot --authenticator webroot --installer apache \ --webroot-path [redacted] -d >robjvargas.com,www.robjvargas.com
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --webroot-path

The certbot-auto comes back as an unrecognized command. And I don’t have it in the yum repositories I have so far. An issue for later, I guess. As that link states, not all providers are up-to-date.


#5

I think this is due to the \ --webroot-path instead of --webroot-path. The \ is meant to be used only if you’re breaking the command over two lines, and, if so, only immediately before the newline character. If the command is all on one line, no \ should be used.

To use certbot-auto, you have to separately download it first. It’s never packaged in OS repositories, but is a downloader that works outside of OS package managers.


#6

I think this is due to the \ --webroot-path instead of --webroot-path. The \ is meant to be used only if you’re breaking the command…
Dangit, I know that, too. I just copied and pasted without thinking.

In any event, the http-01 commant worked, so I’ll put that into my cron job.

Thanks again.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.