Renewal fails on domain pointing to 2nd IP address on server

I have several domains on my server, all pointing to one IP address (the primary one). However, one domain name points to another IP address on the server. I fail to renew that domain, the others work fine.

The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)
1 renew failure(s), 0 parse failure(s)


  • The following errors were reported by the server:

    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested .*
    fe865de2.acme.invalid from Received certificate
    containing '

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

The DNS settings for the domain are:
Type Name Value TTL Actions
a @ 1 Hour

I would like to know if the message “.invalid from” means that it got the request from the IP and rejected it, or that it expected that one and it did not come from there?


Boulder expected the blahblah.acme.invalid challenge from that IP address (by temporary adding an extra vhost to the Apache configuration on the server you're running the software on), but it got, which is not (obviously) the same as the challenge. Could be it's asking another server or it could be a problem with your Apache configuration.

Also, I'm seeing only one IP address pointing to your domain

Hi, thanks for the reply!
Yes, is the only domain on that IP address. All other domains point to the other IP address of that server.

that domain is setup in apache as [VirtualHost]…[/VirtualHost], all others as [VirtualHost *:443]…[/VirtualHost]

while I think I understand what you wrote above what boulder expected and what it got, I am not sure what to do with that information or how to fix the issue.

Your post doesn’t mention which plugin you’re using - I’m assuming it’s the apache plugin.

The way the apache plugin works is that it adds a temporary <VirtualHost> with a “fake” certificate and SNI hostname that solves the TLS-SNI-01 challenge. Since this server has multiple IP addresses, I’m not certain if the apache plugin is capable of determining the correct IP address to listen on for this temporary <VirtualHost>. I haven’t seen any success stories that explicitly mention this scenario, at least.

Your best bet might be to switch to the webroot plugin, which works by writing files to your existing DocumentRoot. If you’d like to continue using the automatic apache configuration while using the webroot authenticator, try something like this:

./certbot-auto --authenticator webroot --installer apache -w /var/www/html -d

(If you’re currently using letsencrypt-auto instead of certbot-auto, that should work as well.)

1 Like

Great, thanks, that worked!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.