Renew problem Letsencrypt certificate

Please fill out the fields below so we can help you better.

My domain is: mail.cgilfe.it

I ran this command:certbot renew --pre-hook “service nginx stop” --post-hook “service nginx start” --standalone-supported-challenges tls-sni-01 --dry-run

It produced this output:
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7ff78e070850>
Prep: True
2017-01-25 10:53:21,523:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7ff78e070850> and installer None
2017-01-25 10:53:21,527:DEBUG:certbot.main:Picked account: <Account(36a5fdf8047a014f9b8a8770c3f446a2)>
2017-01-25 10:53:21,527:DEBUG:root:Sending GET request to https://acme-staging.api.letsencrypt.org/directory. args: (), kwargs: {}
2017-01-25 10:53:21,528:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2017-01-25 10:53:21,853:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 372
2017-01-25 10:53:21,854:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘372’, ‘Expires’: ‘Wed, 25 Jan 2017 10:53:21 GMT’, ‘Boulder-Request-Id’: ‘kxJMqqRy55rn4O3h0TNJ0gAg9zlGegTNjPg3anepmDo’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Wed, 25 Jan 2017 10:53:21 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘zRHhpLpK1_o_hyYq7KdBbAhaKNSFJ_Xkvs1ca19Y3Ns’}. Content: '{\n “key-change”: “https://acme-staging.api.letsencrypt.org/acme/key-change”,\n “new-authz”: “https://acme-staging.api.letsencrypt.org/acme/new-authz”,\n “new-cert”: “https://acme-staging.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-staging.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-staging.api.letsencrypt.org/acme/revoke-cert”\n}'
2017-01-25 10:53:21,854:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘372’, ‘Expires’: ‘Wed, 25 Jan 2017 10:53:21 GMT’, ‘Boulder-Request-Id’: ‘kxJMqqRy55rn4O3h0TNJ0gAg9zlGegTNjPg3anepmDo’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Wed, 25 Jan 2017 10:53:21 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘zRHhpLpK1_o_hyYq7KdBbAhaKNSFJ_Xkvs1ca19Y3Ns’}): '{\n “key-change”: “https://acme-staging.api.letsencrypt.org/acme/key-change”,\n “new-authz”: “https://acme-staging.api.letsencrypt.org/acme/new-authz”,\n “new-cert”: “https://acme-staging.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-staging.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-staging.api.letsencrypt.org/acme/revoke-cert”\n}'
2017-01-25 10:53:21,854:INFO:certbot.main:Renewing an existing certificate
2017-01-25 10:53:21,855:DEBUG:root:Requesting fresh nonce
2017-01-25 10:53:21,855:DEBUG:root:Sending HEAD request to https://acme-staging.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2017-01-25 10:53:22,044:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-authz HTTP/1.1” 405 0
2017-01-25 10:53:22,045:DEBUG:root:Received <Response [405]>. Headers: {‘Content-Length’: ‘91’, ‘Pragma’: ‘no-cache’, ‘Boulder-Request-Id’: ‘EyUvyAKOrhoaVkTJt92t3qajgBYTUYr5nK8rbO9gULo’, ‘Expires’: ‘Wed, 25 Jan 2017 10:53:22 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Allow’: ‘POST’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Wed, 25 Jan 2017 10:53:22 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘x6iV_UjIRDhKhdJkl2JwQWSMHNxsHhd9HkOZaLRZLN8’}. Content: ''
2017-01-25 10:53:22,045:DEBUG:acme.client:Storing nonce: '\xc7\xa8\x95\xfdH\xc8D8J\x85\xd2d\x97bpAd\x8c\x1c\xdcl\x1e\x17}\x1eC\x99h\xb4Y,\xdf’
2017-01-25 10:53:22,045:DEBUG:acme.jose.json_util:Omitted empty fields: status=None, combinations=None, expires=None, challenges=None
2017-01-25 10:53:22,046:DEBUG:acme.client:Serialized JSON: {“identifier”: {“type”: “dns”, “value”: “mail.cgilfe.it”}, “resource”: “new-authz”}
2017-01-25 10:53:22,047:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jku=None, cty=None, x5t=None, alg=None, x5tS256=None, x5u=None, kid=None, jwk=None
2017-01-25 10:53:22,049:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jku=None, nonce=None, cty=None, x5t=None, kid=None, x5tS256=None, x5u=None
2017-01-25 10:53:22,050:DEBUG:root:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {‘data’: ‘{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “ygnxZKChqZcqXLoZWyBpqqqxuOuUViZiUM860Njl9dt9fSncr0ofD4eanrCzT86xSUfA6ejsZe3_0zNKuchPVsP4JH0MfWJfKEbyDDE_AOUF6gJNAqLODB2EThYYMuAN5_EHywjb1RGjhNkE-K_YLkroDTspC_Nq22m1tiFXMNrWsdXADxYB_Xkot19QTa2AD1yz1Mu4fMuIyxMXNRcF4q2ixKmus9uY5QVDfE0YXKy94w5a7cLk4KnQ6SuliVmi2X7y59No-ar8z-oPo3MnjrQUhtan-IV-qxi7VC-KkneE_RICNJ-EdI2hBLKC4_2Dnh5SC0rr6-D4qOY4NlCnoQ”}}, “protected”: “eyJub25jZSI6ICJ4NmlWX1VqSVJEaEtoZEprbDJKd1FXU01ITnhzSGhkOUhrT1phTFJaTE44In0”, “payload”: “eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJtYWlsLmNnaWxmZS5pdCJ9LCAicmVzb3VyY2UiOiAibmV3LWF1dGh6In0”, “signature”: “LLHIqkoQubKY3OJNBoQBMu3Dxh_vuRNuqiJ6BN8WhgZeFieWwjRbeTw6cYKtM7-QSbqrJ7I2Gbo91XYzz66pCYSKAnQaS5xfSi1sQuVHbKL6SDReR2YTDE8ucIKGuWvT9eiNzYzLBf1bXV6e3n6fejIWN8HX19EQxpPb_UH5QYhHw5LNMAMfVkI9YhK7swJYTmXX-MOh3gPIHXniuYNfLssWt8TMhSmrS-cZtyTFx2tsl9C2W5xjPtoRl3QDRjavLjRTNeO8kFZRb4mgVZ8tJzxm3JJfR2IAtK0UlJTBq4ZNRa2hJlrHCKIwiKq6u05v0zY1NiQ8ZfJsQ2dK1w4L9w”}’}
2017-01-25 10:53:22,272:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-authz HTTP/1.1” 201 1008
2017-01-25 10:53:22,273:DEBUG:root:Received <Response [201]>. Headers: {‘Content-Length’: ‘1008’, ‘Expires’: ‘Wed, 25 Jan 2017 10:53:22 GMT’, ‘Boulder-Request-Id’: ‘GkLQvYf1nMcN_vD8Wn5FnZ0ZHdp-O_q_IQ9UVk_jblk’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-staging.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Location’: ‘https://acme-staging.api.letsencrypt.org/acme/authz/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y’, ‘Pragma’: ‘no-cache’, ‘Boulder-Requester’: ‘514457’, ‘Date’: ‘Wed, 25 Jan 2017 10:53:22 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘4hkDwDvUhuBSiAM_NKZfmx6RPj37h15WEtZWGqXoSgo’}. Content: '{\n “identifier”: {\n “type”: “dns”,\n “value”: “mail.cgilfe.it”\n },\n “status”: “pending”,\n “expires”: “2017-02-01T10:53:22.160047461Z”,\n “challenges”: [\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656082”,\n “token”: “zUrWQG6Zp9RkSY8_fzod64ermZUES3f9e1lYjVZDmRw”\n },\n {\n “type”: “tls-sni-01”,\n “status”: “pending”,\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656083”,\n “token”: “71LyqAkmc58Gul4wJVepipcTbZKfGF9034RIDTj3Bgk”\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656084”,\n “token”: “xDl3WZHCR8ldUSwcSOJFYCDmgrPB3S7M_bVotMEL0IE”\n }\n ],\n “combinations”: [\n [\n 2\n ],\n [\n 1\n ],\n [\n 0\n ]\n ]\n}'
2017-01-25 10:53:22,273:DEBUG:acme.client:Storing nonce: '\xe2\x19\x03\xc0;\xd4\x86\xe0R\x88\x03?4\xa6_\x9b\x1e\x91>=\xfb\x87^V\x12\xd6V\x1a\xa5\xe8J\n’
2017-01-25 10:53:22,273:DEBUG:acme.client:Received response <Response [201]> (headers: {‘Content-Length’: ‘1008’, ‘Expires’: ‘Wed, 25 Jan 2017 10:53:22 GMT’, ‘Boulder-Request-Id’: ‘GkLQvYf1nMcN_vD8Wn5FnZ0ZHdp-O_q_IQ9UVk_jblk’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-staging.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Location’: ‘https://acme-staging.api.letsencrypt.org/acme/authz/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y’, ‘Pragma’: ‘no-cache’, ‘Boulder-Requester’: ‘514457’, ‘Date’: ‘Wed, 25 Jan 2017 10:53:22 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘4hkDwDvUhuBSiAM_NKZfmx6RPj37h15WEtZWGqXoSgo’}): '{\n “identifier”: {\n “type”: “dns”,\n “value”: “mail.cgilfe.it”\n },\n “status”: “pending”,\n “expires”: “2017-02-01T10:53:22.160047461Z”,\n “challenges”: [\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656082”,\n “token”: “zUrWQG6Zp9RkSY8_fzod64ermZUES3f9e1lYjVZDmRw”\n },\n {\n “type”: “tls-sni-01”,\n “status”: “pending”,\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656083”,\n “token”: “71LyqAkmc58Gul4wJVepipcTbZKfGF9034RIDTj3Bgk”\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656084”,\n “token”: “xDl3WZHCR8ldUSwcSOJFYCDmgrPB3S7M_bVotMEL0IE”\n }\n ],\n “combinations”: [\n [\n 2\n ],\n [\n 1\n ],\n [\n 0\n ]\n ]\n}'
2017-01-25 10:53:22,274:INFO:certbot.auth_handler:Performing the following challenges:
2017-01-25 10:53:22,275:INFO:certbot.auth_handler:tls-sni-01 challenge for mail.cgilfe.it
2017-01-25 10:53:22,294:INFO:certbot.auth_handler:Waiting for verification…
2017-01-25 10:53:22,294:DEBUG:acme.client:Serialized JSON: {“keyAuthorization”: “71LyqAkmc58Gul4wJVepipcTbZKfGF9034RIDTj3Bgk.fTeWl5kB1hpVnpQIgnFjSav8T1FLDwjsioZcESNmv-k”, “type”: “tls-sni-01”, “resource”: “challenge”}
2017-01-25 10:53:22,295:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jku=None, cty=None, x5t=None, alg=None, x5tS256=None, x5u=None, kid=None, jwk=None
2017-01-25 10:53:22,298:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jku=None, nonce=None, cty=None, x5t=None, kid=None, x5tS256=None, x5u=None
2017-01-25 10:53:22,298:DEBUG:root:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656083. args: (), kwargs: {‘data’: ‘{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “ygnxZKChqZcqXLoZWyBpqqqxuOuUViZiUM860Njl9dt9fSncr0ofD4eanrCzT86xSUfA6ejsZe3_0zNKuchPVsP4JH0MfWJfKEbyDDE_AOUF6gJNAqLODB2EThYYMuAN5_EHywjb1RGjhNkE-K_YLkroDTspC_Nq22m1tiFXMNrWsdXADxYB_Xkot19QTa2AD1yz1Mu4fMuIyxMXNRcF4q2ixKmus9uY5QVDfE0YXKy94w5a7cLk4KnQ6SuliVmi2X7y59No-ar8z-oPo3MnjrQUhtan-IV-qxi7VC-KkneE_RICNJ-EdI2hBLKC4_2Dnh5SC0rr6-D4qOY4NlCnoQ”}}, “protected”: “eyJub25jZSI6ICI0aGtEd0R2VWh1QlNpQU1fTktaZm14NlJQajM3aDE1V0V0WldHcVhvU2dvIn0”, “payload”: “eyJrZXlBdXRob3JpemF0aW9uIjogIjcxTHlxQWttYzU4R3VsNHdKVmVwaXBjVGJaS2ZHRjkwMzRSSURUajNCZ2suZlRlV2w1a0IxaHBWbnBRSWduRmpTYXY4VDFGTER3anNpb1pjRVNObXYtayIsICJ0eXBlIjogInRscy1zbmktMDEiLCAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIn0”, “signature”: “OLUvwJCpLYjeQeb3Rxw0lV2Zj979GEw-VnIeuzO8VEHfNwTwJsWpg-92-1qF_Wy6_EbTNs3QhSotxg95821akshQy7dIx_C7uJK9m_RItid4dinyF2L3_hiIzMxToc_yv-OOTZxzZhJ6IArbdLGUgXnEx4OMb75XS1kLrUytw5m_i7SR6pXsffGfVdxVLO49AgdDWnewHJgljiNcuESA7FcY4YimtSAiQ5qjLFk_SiDPOX5jZ6B1ObSnlc9TY1hvpMLBgeWBZsHX_3PIvlR7vVKg1o4QcA2KU3e6AU78TR72U-3r3dm-BBSp5irZaVeDxdgVe9DxUReE3tw74TM6CA”}’}
2017-01-25 10:53:22,519:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656083 HTTP/1.1” 202 341
2017-01-25 10:53:22,520:DEBUG:root:Received <Response [202]>. Headers: {‘Content-Length’: ‘341’, ‘Boulder-Request-Id’: ‘aU2N6R7_DTPwTcWTUiyq3CvNJiD3pNDFNtt1SpTyrX4’, ‘Expires’: ‘Wed, 25 Jan 2017 10:53:22 GMT’, ‘Server’: ‘nginx’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-staging.api.letsencrypt.org/acme/authz/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y;rel=“up”’, ‘Location’: ‘https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656083’, ‘Pragma’: ‘no-cache’, ‘Boulder-Requester’: ‘514457’, ‘Date’: ‘Wed, 25 Jan 2017 10:53:22 GMT’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘M4IMW3JJTzjjlQjVThDgXA8W8Wh10QsA5UfU_CY5Z40’}. Content: '{\n “type”: “tls-sni-01”,\n “status”: “pending”,\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656083”,\n “token”: “71LyqAkmc58Gul4wJVepipcTbZKfGF9034RIDTj3Bgk”,\n “keyAuthorization”: “71LyqAkmc58Gul4wJVepipcTbZKfGF9034RIDTj3Bgk.fTeWl5kB1hpVnpQIgnFjSav8T1FLDwjsioZcESNmv-k”\n}'
2017-01-25 10:53:22,520:DEBUG:acme.client:Storing nonce: '3\x82\x0c[rIO8\xe3\x95\x08\xd5N\x10\xe0\\x0f\x16\xf1hu\xd1\x0b\x00\xe5G\xd4\xfc&9g\x8d’
2017-01-25 10:53:22,520:DEBUG:acme.client:Received response <Response [202]> (headers: {‘Content-Length’: ‘341’, ‘Boulder-Request-Id’: ‘aU2N6R7_DTPwTcWTUiyq3CvNJiD3pNDFNtt1SpTyrX4’, ‘Expires’: ‘Wed, 25 Jan 2017 10:53:22 GMT’, ‘Server’: ‘nginx’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-staging.api.letsencrypt.org/acme/authz/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y;rel=“up”’, ‘Location’: ‘https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656083’, ‘Pragma’: ‘no-cache’, ‘Boulder-Requester’: ‘514457’, ‘Date’: ‘Wed, 25 Jan 2017 10:53:22 GMT’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘M4IMW3JJTzjjlQjVThDgXA8W8Wh10QsA5UfU_CY5Z40’}): '{\n “type”: “tls-sni-01”,\n “status”: “pending”,\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656083”,\n “token”: “71LyqAkmc58Gul4wJVepipcTbZKfGF9034RIDTj3Bgk”,\n “keyAuthorization”: “71LyqAkmc58Gul4wJVepipcTbZKfGF9034RIDTj3Bgk.fTeWl5kB1hpVnpQIgnFjSav8T1FLDwjsioZcESNmv-k”\n}'
2017-01-25 10:53:25,524:DEBUG:root:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y. args: (), kwargs: {}
2017-01-25 10:53:25,726:DEBUG:requests.packages.urllib3.connectionpool:“GET /acme/authz/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y HTTP/1.1” 200 1692
2017-01-25 10:53:25,728:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘1692’, ‘Expires’: ‘Wed, 25 Jan 2017 10:53:25 GMT’, ‘Boulder-Request-Id’: ‘q2KXR8J2gjM6wattdy7mga_NBJfNSbm5OS9CXcRRD0k’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-staging.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Wed, 25 Jan 2017 10:53:25 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘uwiFgOrV-bIGWvNEG8Ws79eJdw3IVp-rUuCgpBCo13k’}. Content: '{\n “identifier”: {\n “type”: “dns”,\n “value”: “mail.cgilfe.it”\n },\n “status”: “invalid”,\n “expires”: “2017-02-01T10:53:22Z”,\n “challenges”: [\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656082”,\n “token”: “zUrWQG6Zp9RkSY8_fzod64ermZUES3f9e1lYjVZDmRw”\n },\n {\n “type”: “tls-sni-01”,\n “status”: “invalid”,\n “error”: {\n “type”: “urn:acme:error:unauthorized”,\n “detail”: “Incorrect validation certificate for TLS-SNI-01 challenge. Requested 5c5a067811c105b04fd83e60cd9c4c7a.55eb680225f7c1d93b1c9f9902b0e8fd.acme.invalid from 213.209.210.69:443. Received certificate containing ‘mail.cgilfe.it’”,\n “status”: 403\n },\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656083”,\n “token”: “71LyqAkmc58Gul4wJVepipcTbZKfGF9034RIDTj3Bgk”,\n “keyAuthorization”: “71LyqAkmc58Gul4wJVepipcTbZKfGF9034RIDTj3Bgk.fTeWl5kB1hpVnpQIgnFjSav8T1FLDwjsioZcESNmv-k”,\n “validationRecord”: [\n {\n “hostname”: “mail.cgilfe.it”,\n “port”: “443”,\n “addressesResolved”: [\n “213.209.210.69”\n ],\n “addressUsed”: “213.209.210.69”\n }\n ]\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656084”,\n “token”: “xDl3WZHCR8ldUSwcSOJFYCDmgrPB3S7M_bVotMEL0IE”\n }\n ],\n “combinations”: [\n [\n 2\n ],\n [\n 1\n ],\n [\n 0\n ]\n ]\n}'
2017-01-25 10:53:25,728:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘1692’, ‘Expires’: ‘Wed, 25 Jan 2017 10:53:25 GMT’, ‘Boulder-Request-Id’: ‘q2KXR8J2gjM6wattdy7mga_NBJfNSbm5OS9CXcRRD0k’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-staging.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Wed, 25 Jan 2017 10:53:25 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘uwiFgOrV-bIGWvNEG8Ws79eJdw3IVp-rUuCgpBCo13k’}): '{\n “identifier”: {\n “type”: “dns”,\n “value”: “mail.cgilfe.it”\n },\n “status”: “invalid”,\n “expires”: “2017-02-01T10:53:22Z”,\n “challenges”: [\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656082”,\n “token”: “zUrWQG6Zp9RkSY8_fzod64ermZUES3f9e1lYjVZDmRw”\n },\n {\n “type”: “tls-sni-01”,\n “status”: “invalid”,\n “error”: {\n “type”: “urn:acme:error:unauthorized”,\n “detail”: “Incorrect validation certificate for TLS-SNI-01 challenge. Requested 5c5a067811c105b04fd83e60cd9c4c7a.55eb680225f7c1d93b1c9f9902b0e8fd.acme.invalid from 213.209.210.69:443. Received certificate containing ‘mail.cgilfe.it’”,\n “status”: 403\n },\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656083”,\n “token”: “71LyqAkmc58Gul4wJVepipcTbZKfGF9034RIDTj3Bgk”,\n “keyAuthorization”: “71LyqAkmc58Gul4wJVepipcTbZKfGF9034RIDTj3Bgk.fTeWl5kB1hpVnpQIgnFjSav8T1FLDwjsioZcESNmv-k”,\n “validationRecord”: [\n {\n “hostname”: “mail.cgilfe.it”,\n “port”: “443”,\n “addressesResolved”: [\n “213.209.210.69”\n ],\n “addressUsed”: “213.209.210.69”\n }\n ]\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/NjvMzRn8Luelsv0q80rjwzqihodvAlwszWxMQil4I6Y/23656084”,\n “token”: “xDl3WZHCR8ldUSwcSOJFYCDmgrPB3S7M_bVotMEL0IE”\n }\n ],\n “combinations”: [\n [\n 2\n ],\n [\n 1\n ],\n [\n 0\n ]\n ]\n}'
2017-01-25 10:53:25,729:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: mail.cgilfe.it
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 5c5a067811c105b04fd83e60cd9c4c7a.55eb680225f7c1d93b1c9f9902b0e8fd.acme.invalid from 213.209.210.69:443. Received certificate containing ‘mail.cgilfe.it

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-01-25 10:53:25,729:INFO:certbot.auth_handler:Cleaning up challenges
2017-01-25 10:53:25,730:DEBUG:certbot.plugins.standalone:Stopping server at 0.0.0.0:443…
2017-01-25 10:53:25,798:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/mail.cgilfe.it.conf produced an unexpected error: Failed authorization procedure. mail.cgilfe.it (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 5c5a067811c105b04fd83e60cd9c4c7a.55eb680225f7c1d93b1c9f9902b0e8fd.acme.invalid from 213.209.210.69:443. Received certificate containing ‘mail.cgilfe.it’. Skipping.
2017-01-25 10:53:25,800:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/certbot/renewal.py”, line 348, in renew_all_lineages
main.obtain_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 563, in obtain_cert
action, _ = _auth_from_domains(le_client, config, domains, lineage)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 96, in _auth_from_domains
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python2.7/dist-packages/certbot/renewal.py”, line 238, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 253, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 78, in get_authorizations
self._respond(resp, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 135, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 199, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. mail.cgilfe.it (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 5c5a067811c105b04fd83e60cd9c4c7a.55eb680225f7c1d93b1c9f9902b0e8fd.acme.invalid from 213.209.210.69:443. Received certificate containing ‘mail.cgilfe.it

2017-01-25 10:53:25,800:INFO:certbot.hooks:Running post-hook command: service nginx start
2017-01-25 10:53:25,926:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.9.3’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 776, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 592, in renew
renewal.renew_all_lineages(config)
File “/usr/lib/python2.7/dist-packages/certbot/renewal.py”, line 365, in renew_all_lineages
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

My operating system is (include version): 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux ver 8.7

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

Can you share a few more details about your environment?

I see that you’re stopping nginx before trying to use the standalone plugin to solve the challenge. Looking at the HTTP headers your server sends, I see there’s an apache instance involved at some point (Server: Apache). If apache is actually the software that’s dealing with HTTPS, that’s what you’d have to stop first so that certbot can serve the correct validation certificate to solve the ownership challenge. That being said, I would’ve expected certbot to complain if port 443 is already in use by a different web server. Perhaps the HTTPS server is running on a different machine?

Thanks pfg for your response; you are right the server running HTTPS in witch i want renew cert is on different machine. I dont know why for this server certbot complain on renewal because there are also three different servers in the process that renewal go smoothly without problem.
I think you can view on logs on your side (all servers ending in cgilfe.it)

With tls-sni-01, the server that handles HTTPS needs to present a special certificate that validates domain ownership. Stopping your backend server (nginx here, I guess) and then running certbot on that machine won’t affect the HTTPS server - it will just keep sending the certificate for mail.cgilfe.it rather than the special validation certificate.

This is rather specific to the tls-sni-01 challenge type. With http-01, for example, it’s quite possible to solve the ownership challenge without having to do anything on the frontend server. http-01 basically involves putting a file under a specific path and then serving that when requested via HTTP on port 80. With certbot, you could do this with the webroot plugin, or with standalone using --standalone-supported-challenges http-01. As mentioned, this would require that you serve HTTP on port 80, even if it’s just a HTTP 301 redirect to the HTTPS address. (I think you’re only serving HTTPS on port 443 right now.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.