Renewal failing with multiple subdomains

I have a nains server which serves 2 domains (xxxx and yyyy) with multiple sub domains.
I have set the following certificates:

lab.xxxx.com
dev.xxxx.com
xxxx.com, www.xxxx.com, api.xxxx.com, static.xxxx.com

lab.yyyy.com
dev.yyyy.com
yyyy.com, www.yyyy.com, api.yyyy.com, static.yyyy.com

I have set the authenticator to be “nginx”.

Whenever I try a renew of any of the lab or dev certificates, I get the error:

Domain: lab.yyyy.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   7f3bf0212c69...d722.58a3a1c93eeabbed3ed14e39677de9ea.acme.invalid
   from xx.xx.xx.xx:443. Received 2 certificate(s), first
   certificate had names "api.xxxx.com, static.xxxx.com,
   xxxx.com, www.xxxx.com"

If anyone can help, I’m not sure what I am doing wrong…

Thansk !

Please post the complete log message and which command you executed.

yes sure:
/opt/letsencrypt/letsencrypt-auto certonly --config dev.yyyy.letsencrypt-conf

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
Performing the following challenges:
tls-sni-01 challenge for dev.yyyy.me
nginx: [warn] duplicate MIME type "text/html" in /etc/nginx/nginx.conf:105
Waiting for verification...
Cleaning up challenges
nginx: [warn] duplicate MIME type "text/html" in /etc/nginx/nginx.conf:103
Failed authorization procedure. dev.yyyy.me (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 1a3d026494d0475888b3e70.e2c0777f93442da0b76083.acme.invalid from 37.187.27.233:443. Received 2 certificate(s), first certificate had names "api.xxxx.com, static.xxxx.com, xxxx.com, www.xxxx.com"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dev.yyyy.me
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   1a3d026494d0475ce90f0xxxxxe70.e2c0749bdexxxxxxx93442da0b76083.acme.invalid
   from xxx.xxx.xxx.xxx:443. Received 2 certificate(s), first
   certificate had names "api.xxxx.com, static.xxxx.com,
   xxxx.com, www.xxxx.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Maybe I found the reason, but not the solution.

The ssl port we use on dev.yyyy.com is not the standard 443 one, but another one (21211).
This is probably the reason why the authentication fails.
Is there a way of specifying the port for auth in the lets encrypt config ?

certbot sets up nginx via a special configuration to perform tls-sni-01 authentication. Your own configuration seems to interfere with that, but not regarding the port. This has to be investigated by someone who is fit with certbot and nginx. Maybe @schoen could have a look into it.

That would be great !

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.