Renewal of certificate on nginx / Fedora 27 not working

I set up certbot at the end of July and thought it was correct. The certificate was issued without any real issues and a dry-run to try reissuing it then worked fine. However, the renewal is failing now and the error is confusing me - it’s saying the client lacks sufficient authorization despite running the renewal as root.

My domain is: mrjbanksy.com / kodi.mrjbanksy.com / mrjbanksy.no-ip.org

I ran this command: certbot renew

It produced this output:
[root@nuc ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mrjbanksy.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for kodi.mrjbanksy.com
tls-sni-01 challenge for mrjbanksy.com
tls-sni-01 challenge for mrjbanksy.no-ip.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (mrjbanksy.com) from /etc/letsencrypt/renewal/mrjbanksy.com.conf produced an unexpected error: Failed authorization procedure. kodi.mrjbanksy.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 6f382f5a7e7595f64ac3c771efeb0b07.55b73e9dcb6eb62c65c25ba704eb7d22.acme.invalid from 108.56.152.105:443. Received 2 certificate(s), first certificate had names "kodi.mrjbanksy.com, mrjbanksy.com, mrjbanksy.no-ip.org", mrjbanksy.no-ip.org (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested a3bb99d7780a2c0b681870232ec89a45.e982fd8092ec84a05264c867bb685bf9.acme.invalid from 108.56.152.105:443. Received 2 certificate(s), first certificate had names "kodi.mrjbanksy.com, mrjbanksy.com, mrjbanksy.no-ip.org", mrjbanksy.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 4eb1511c33d590849da254b7ca311b3d.58934ae8057dae4adb3fe06125fbc004.acme.invalid from 108.56.152.105:443. Received 2 certificate(s), first certificate had names "kodi.mrjbanksy.com, mrjbanksy.com, mrjbanksy.no-ip.org". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mrjbanksy.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mrjbanksy.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: kodi.mrjbanksy.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   6f382f5a7e7595f64ac3c771efeb0b07.55b73e9dcb6eb62c65c25ba704eb7d22.acme.invalid
   from 108.56.152.105:443. Received 2 certificate(s), first
   certificate had names "kodi.mrjbanksy.com, mrjbanksy.com,
   mrjbanksy.no-ip.org"

   Domain: mrjbanksy.no-ip.org
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   a3bb99d7780a2c0b681870232ec89a45.e982fd8092ec84a05264c867bb685bf9.acme.invalid
   from 108.56.152.105:443. Received 2 certificate(s), first
   certificate had names "kodi.mrjbanksy.com, mrjbanksy.com,
   mrjbanksy.no-ip.org"

   Domain: mrjbanksy.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   4eb1511c33d590849da254b7ca311b3d.58934ae8057dae4adb3fe06125fbc004.acme.invalid
   from 108.56.152.105:443. Received 2 certificate(s), first
   certificate had names "kodi.mrjbanksy.com, mrjbanksy.com,
   mrjbanksy.no-ip.org"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

– also in /var/log/nginx/error.log every time I try to renew:
2018/10/02 23:40:04 [emerg] 1179#0: open() “/var/lib/letsencrypt/access.log” failed (13: Permission denied) - shouldn’t that be /var/log, not /var/lib?

My web server is (include version): nginx/1.12.1

The operating system my web server runs on is (include version): Fedora 27

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi,

This is not that much of a issue though....

This is a matter of TLS-SNI being depreciated...

One easy fix: sudo certbot renew --preferred-challenges http
It will convert all validations from TLS-SNI-01 (use port 443) to HTTP-01 (use port 80)

Thank you

P.S. Official depreciation announcement:

Some personal interpretation on this error (not the depreciation):

That was an amazingly fast, correct, simple answer. Thank you very much.

It looks like Certbot actually does that on purpose.

When doing TLS-SNI-01 validation, Certbot momentarily creates a whole new virtual host, which should receive no actual HTTP requests. Seems it's set to log to /var/lib/letsencrypt.

systemd or something might be preventing Nginx from accessing it.

HTTP-01 validation is implemented separately and Certbot doesn't set up logging like that, so switching to it should avoid the issue.

This might be worth filing a Certbot issue about, but since TLS-SNI-01 is being phased out anyway...

Yeah… If I got handed a bug report for a deprecated feature my response would probably be along the lines of ¯_(ツ)_/¯

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.