Request certificate failed. Receive 2 certificate(s), first certificate had names "sub.domain.com"


#1

I face a problem. I tried to get the certificate by running command like below
./letsencrypt-auto certonly --keep-until-expiring --standalone -d registry.smartcity.jakarta.go.id --email smartcityjakarta@gmail.com

but i got error like this

Failed authorization procedure. registry.smartcity.jakarta.go.id (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 54647b1677e1eb3ff90a2fc6590d1feb.c01dd16c6a616041a3fb10c3b35a9c98.acme.invalid from 121.100.17.134:443. Received 2 certificate(s), first certificate had names "fusion.jakarta.go.id"

It looks like they have got the certificate. How can i got the new one?

And this is the screenshot.

Thanks before


#2

Hi @fzlrhmn,

How did you decide to use --standalone here?

When using --standalone, Certbot will run its own temporary web server which will then try to answer requests from the certificate authority to prove that you really control the domain (and so that you are entitled to get a certificate for it).

But in this case, when the certificate authority checked, it found another web server answering, with, as you said, an existing certificate. This is strange because normally when another web server is present, --standalone produces an error right away that it can’t listen on the TCP port in question because the port is already taken.

Is it possible that you ran this command on a different machine from the web server itself, such as on your own development workstation instead of the web server?


#3

hi @schoen,

i decide to use --standalone because i use docker container that doesn’t use web server to run. Of course that i ran this command in different machine. I just don’t understand why it doesn’t work.


#4

Certbot expects to be run on the actual web server that’s currently hosting the sites for which the certificate will be issued. If that’s not the case, you can use --manual (but note that this completely prevents using the automated renewal features). There are also some other options depending on how you want to prove your control over the domain.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.