Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output:
Attempting to renew cert (mail.spacetux.net) from /etc/letsencrypt/renewal/mail.spacetux.net.conf produced an unexpected error: Failed authorization procedure. mail.spacetux.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 163096d7af3f4817d0a7172855b0696a.52084125ce5aa8d8fee9d1d3b6375a78.acme.invalid from 96.248.104.29:443. Received 2 certificate(s), first certificate had names “jenkins.spacetux.net”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.spacetux.net/fullchain.pem (failure)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.spacetux.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: mail.spacetux.net
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
163096d7af3f4817d0a7172855b0696a.52084125ce5aa8d8fee9d1d3b6375a78.acme.invalid
from 96.248.104.29:443. Received 2 certificate(s), first
certificate had names “jenkins.spacetux.net”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
Apache 2.4
The operating system my web server runs on is (include version):
Centos 7
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
This error is due to TLS-SNI-01 challenge... (and it would have some issue when they are edited by certbot... I guess it's because the certificate is not in the "expected" position in certbot files)
Are you sure? I tried connecting to mail.spacetux.net and the service on port 443 claims to be nginx.
Port 80 doesn't seem to respond at all - you probably need to open it in your firewall if you want to use stevenzhu's suggestion. If you originally obtained a certificate using certbot's apache or nginx plugins, it will try to use the same server to answer the challenge on port 80, so that server will need to be able to receive connections there.
I see what’s going on.
I have two servers in this network:
Jenkins, running nginx and listening on 443
netfiles, running apache, and temporarily listening on 80
It is netfiles I’m having the problem with. I’ve updated it to listen on 80, and was able to get the certificate updated.
But, I don’t like leaving 80 open, so, is there a specific IP or range of IPs which will do the challenge, so I can restrict what comes to the server at the firewall?
No, whitelisting IPs is explicitly an unsupported configuration. There aren't really any issues leaving 80 open, particularly if you configure whatever is listening on 80 to serve redirects to 443. In fact, that's arguably a more secure configuration.
But if you really don’t want to do that for some reason, there is a possible alternative: if you’re comfortable with temporarily opening port 80 (and with writing simple shell scripts), you can put scripts in the pre and post directories under /etc/letsencrypt/renewal-hooks/ to open and close the port before and after any renewal attempt.