Renew multiple certs fails but --dry-run works

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: yikesandaway.com

I ran this command:
/bin/certbot renew --tls-sni-01-port=8888 --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mycloud.yikesandaway.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mycloud.yikesandaway.com
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/mycloud.yikesandaway.com/fullchain.pem


Processing /etc/letsencrypt/renewal/www.yikesandaway.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.yikesandaway.com
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.yikesandaway.com/fullchain.pem


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mycloud.yikesandaway.com/fullchain.pem (success)
/etc/letsencrypt/live/www.yikesandaway.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

My web server is (include version): haproxy

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

As noted above when a do a --dry-run my renewals all pass without issue but when I remove the --dry-run I get an error as it is trying to use the wrong cert to validate the other as shown below.

[root@haproxy letsencrypt]# /bin/certbot renew --tls-sni-01-port=8888
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mycloud.yikesandaway.com.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/www.yikesandaway.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.yikesandaway.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.yikesandaway.com) from /etc/letsencrypt/renewal/www.yikesandaway.com.conf produced an unexpected error: Failed authorization procedure. www.yikesandaway.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 91e1d0154cec7210a5b0acb19a974f9a.294a73f46a8ae4cb3332588ac0bf42d7.acme.invalid from 73.207.71.120:443. Received 2 certificate(s), first certificate had names “mycloud.yikesandaway.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.yikesandaway.com/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/mycloud.yikesandaway.com/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.yikesandaway.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Any suggestions?

The TLS-SNI-01 challenge has been disabled for new certificate issuance because of a security issue. However, it’s still available for renewals from the same account. That’s why your renewal is still using that challenge but (as you can see if you read the output carefully) the dry-run is now using the HTTP-01 challenge instead, as it’s not a “renewal from the same account” on the staging server.

I don’t know why the TLS-SNI-01 challenge is failing for you, but since the HTTP-01 challenge seems to be working, maybe you should just switch to that? Try adding the option --preferred-challenges http-01

Thank you for your reply.

I didn’t notice the difference. I will give it a try as soon as my rateLimit times out.

1 Like

Perfect! that worked.

Thanks for the advice!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.