Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/robjvargas.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: www.robjvargas.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
d56c13da53b01ca97849007fde3b17d7.48b1a8875361e1022c07959f1148ddbb.acme.invalid
from 107.172.9.149:443. Received 1 certificate(s), first
certificate had names “robjvargas.com, www.robjvargas.com”
Domain: robjvargas.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
8f9c98bd42448549b4c31116d9c03bc4.ab7d1c545a91270babe0e47ce5b6ac62.acme.invalid
from 107.172.9.149:443. Received 1 certificate(s), first
certificate had names “robjvargas.com, www.robjvargas.com”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): Apache 2.4.6-80.el7
The operating system my web server runs on is (include version): CentOS Linux release 7.5.1804 (Core)
My hosting provider, if applicable, is: VPS: Hudson Valley Host
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
Initial certificate issuance was successful. I ran several dry runs during the period, and they showed no errors. Now the cert is expired and it won’t renew. I tried this within the last ten days before expiration, and then got diverted.
The correct form is normally just certbot renew if you're not intending to change the validation method, although that doesn't explain the error that you saw.
Nonetheless, this error doesn't directly relate to TLS-SNI-01 being disabled because the CA was willing to use it here. (Switching to HTTP-01 validation is still a good idea for the long term.)
Depending on your Certbot version, this might not have any effect because historically the Apache plugin only supported TLS-SNI-01 and not HTTP-01. See
for more information about that.
@RobJVargas, I would suggest following these instructions to switch to HTTP-01 validation even though it's not strictly necessary for your renewal. Trying to debug the TLS-SNI-01 problem may not be worth it because of the deprecation of this validation method.
Thank you, schoen. I totally missed the deprecation of the tls-sni challenge
certbot renew --preferred-challenges http
That worked for me. Perfect.
Side note that I won’t mess with, the solution you linked didn’t work for me.
certbot --authenticator webroot --installer apache \ --webroot-path [redacted] -d >robjvargas.com,www.robjvargas.com
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --webroot-path
The certbot-auto comes back as an unrecognized command. And I don’t have it in the yum repositories I have so far. An issue for later, I guess. As that link states, not all providers are up-to-date.
I think this is due to the \ --webroot-path instead of --webroot-path. The \ is meant to be used only if you’re breaking the command over two lines, and, if so, only immediately before the newline character. If the command is all on one line, no \ should be used.
To use certbot-auto, you have to separately download it first. It’s never packaged in OS repositories, but is a downloader that works outside of OS package managers.
I think this is due to the \ --webroot-path instead of --webroot-path. The \ is meant to be used only if you’re breaking the command…
Dangit, I know that, too. I just copied and pasted without thinking.
In any event, the http-01 commant worked, so I’ll put that into my cron job.