Renew not work anymore


#1

Renew do not work anymore:

bash-4.3# /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/cloud.cc-email.eu.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for cloud.cc-email.eu
/usr/lib/python2.7/site-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from ‘char *’ to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/cloud.cc-email.eu.conf produced an unexpected error: Failed authorization procedure. cloud.cc-email.eu (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested cb7edf9e315017f47589bd9b5c034a27.2fe6fd28c9be5bc1318f6cfbcd01f9b6.acme.invalid from 89.247.194.210:443. Received 2 certificate(s), first certificate had names “cloud.cc-email.eu”. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cloud.cc-email.eu/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cloud.cc-email.eu
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    cb7edf9e315017f47589bd9b5c034a27.2fe6fd28c9be5bc1318f6cfbcd01f9b6.acme.invalid
    from 89.247.194.210:443. Received 2 certificate(s), first
    certificate had names “cloud.cc-email.eu”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

cloud.cc-email.eu has CNAME record only. But was before not a problem.
Help very appreciated


#2

Hi @fwe99

the tls-sni-01 - validation is deprecated, support ends 2019-02-13.

So try to change to http validation.

certbot renew --preferred-challenges http --nginx

#3

Expanding a little bit on @JuergenAuer’s answer.

The TLS-SNI-01 method is currently working for you, but the depreciation deadline is Feb 13, 2019.

The TLS-SNI-01 was supposed to generate a certificate and ask nginx to send it before sending the real, working certificate to check if you are allowed to request the certificate.
However, there are some issues with this function, and certbot sometimes place the fake (validation) certificate after the real, working certificate, which ends in this issue.

Now, since it’s depreciated, there will not be any support for this method (on developers end)… You should use the command @JuergenAuer provided and switch to http based validation.

Thank you


#4

Also, according to the thread from owncloud, after you switched to htrp based validation, you might need to use webroot instead of the default nginx authenticator.

Because the univsesal redirection (that redirect all visits to a index.php link) might provide trouble for let’s encrypt validation servers.

Ref: https://doc.owncloud.org/server/10.0/admin_manual/installation/letsencrypt/

Thank you