Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: hornnes-ikt.privat.net
I ran these commands: sudo certbot renew --dry-run and then sudo certbot renew
They produced this output:
Processing /etc/letsencrypt/renewal/support.hornnes-ikt.privat.net.conf
Cert is due for renewal, auto-renewingâŚ
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for support.hornnes-ikt.privat.net
Waiting for verificationâŚ
Cleaning up challenges
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/support.hornnes-ikt.privat.net/fullchain.pem
** DRY RUN: simulating âcertbot renewâ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/support.hornnes-ikt.privat.net/fullchain.pem (success)
** DRY RUN: simulating âcertbot renewâ close to cert expiry
** (The test certificates above have not been saved.)
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
support@support:~$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/support.hornnes-ikt.privat.net.conf
Cert is due for renewal, auto-renewingâŚ
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for support.hornnes-ikt.privat.net
Waiting for verificationâŚ
Cleaning up challenges
Attempting to renew cert (support.hornnes-ikt.privat.net) from /etc/letsencrypt/renewal/support.hornnes-ikt.privat.net.conf produced an unexpected error: Failed authorization procedure. support.hornnes-ikt.privat.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested ed991d79be8a7058ea0790d1f49435b7.e949ccbaa75a05dde3fcd21dbebf2591.acme.invalid from 81.166.59.29:443. Received 1 certificate(s), first certificate had names "netgear vpn firewall ". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/support.hornnes-ikt.privat.net/fullchain.pem (failure)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/support.hornnes-ikt.privat.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: support.hornnes-ikt.privat.net
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
ed991d79be8a7058ea0790d1f49435b7.e949ccbaa75a05dde3fcd21dbebf2591.acme.invalid
from 81.166.59.29:443. Received 1 certificate(s), first certificate
had names "netgear vpn firewall "To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): Apache 2 2.4.29
The operating system my web server runs on is (include version): Ubuntu 18.04
My hosting provider, if applicable, is: none
I can login to a root shell on my machine (yes or no, or I donât know): yes
Iâm using a control panel to manage my site (no, or provide the name and version of the control panel): no
What is strange is this: I had no errors when I first installed the first certbot certificate. Furthermore, the dry run ran ok. The response is strange as the address 81.166.56.29 is correctly registered externally in DNS as belonging to this server: support.hornnes-ikt.privat.net which is making the request.
The "Received 1 certificate(s), first certificate had names "netgear vpn firewall ââ response is also strange. The support server is connected to the internet via a Netgear vpn firewall router which redirects all traffic to 81.166.55.29 to the internal server. The router does not have a host or domain name so I donât understand the problem here - especially since the same router was in place when I installed the first certificate.
In addition, I now have another issue. I thought to try using the following command sudo certbot renew --apache, but that threw up a new can of worms, saying that I had exceeded the limit of invalid authorizations - 5, I believe - and that I now have to wait a week to try all of this again. My certificate expires tomorrow.
Can I reset the whole mess by uninstalling the entire certbot package, or are the failed authentications save on a central site somewhere?