I set up certbot at the end of July and thought it was correct. The certificate was issued without any real issues and a dry-run to try reissuing it then worked fine. However, the renewal is failing now and the error is confusing me - it’s saying the client lacks sufficient authorization despite running the renewal as root.
My domain is: mrjbanksy.com / kodi.mrjbanksy.com / mrjbanksy.no-ip.org
I ran this command: certbot renew
It produced this output:
[root@nuc ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mrjbanksy.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for kodi.mrjbanksy.com
tls-sni-01 challenge for mrjbanksy.com
tls-sni-01 challenge for mrjbanksy.no-ip.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (mrjbanksy.com) from /etc/letsencrypt/renewal/mrjbanksy.com.conf produced an unexpected error: Failed authorization procedure. kodi.mrjbanksy.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 6f382f5a7e7595f64ac3c771efeb0b07.55b73e9dcb6eb62c65c25ba704eb7d22.acme.invalid from 108.56.152.105:443. Received 2 certificate(s), first certificate had names "kodi.mrjbanksy.com, mrjbanksy.com, mrjbanksy.no-ip.org", mrjbanksy.no-ip.org (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested a3bb99d7780a2c0b681870232ec89a45.e982fd8092ec84a05264c867bb685bf9.acme.invalid from 108.56.152.105:443. Received 2 certificate(s), first certificate had names "kodi.mrjbanksy.com, mrjbanksy.com, mrjbanksy.no-ip.org", mrjbanksy.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 4eb1511c33d590849da254b7ca311b3d.58934ae8057dae4adb3fe06125fbc004.acme.invalid from 108.56.152.105:443. Received 2 certificate(s), first certificate had names "kodi.mrjbanksy.com, mrjbanksy.com, mrjbanksy.no-ip.org". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mrjbanksy.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mrjbanksy.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: kodi.mrjbanksy.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
6f382f5a7e7595f64ac3c771efeb0b07.55b73e9dcb6eb62c65c25ba704eb7d22.acme.invalid
from 108.56.152.105:443. Received 2 certificate(s), first
certificate had names "kodi.mrjbanksy.com, mrjbanksy.com,
mrjbanksy.no-ip.org"
Domain: mrjbanksy.no-ip.org
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
a3bb99d7780a2c0b681870232ec89a45.e982fd8092ec84a05264c867bb685bf9.acme.invalid
from 108.56.152.105:443. Received 2 certificate(s), first
certificate had names "kodi.mrjbanksy.com, mrjbanksy.com,
mrjbanksy.no-ip.org"
Domain: mrjbanksy.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
4eb1511c33d590849da254b7ca311b3d.58934ae8057dae4adb3fe06125fbc004.acme.invalid
from 108.56.152.105:443. Received 2 certificate(s), first
certificate had names "kodi.mrjbanksy.com, mrjbanksy.com,
mrjbanksy.no-ip.org"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
– also in /var/log/nginx/error.log every time I try to renew:
2018/10/02 23:40:04 [emerg] 1179#0: open() “/var/lib/letsencrypt/access.log” failed (13: Permission denied) - shouldn’t that be /var/log, not /var/lib?
My web server is (include version): nginx/1.12.1
The operating system my web server runs on is (include version): Fedora 27
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no