Dears,
I run a webserver (Ubuntu 14.04 with Apache 2.4.7) with one IP and five subdomains (subdomain0.domain.tld (with domain.tld as an alias), subdomain1.domain.tld, subdomain2.domain.tld …). All subdomains (and the domain) exclusively use one (WORKING) letsencrypt-generated certificate (SAN) which I need to renew now (with letsencrypt 0.5.0). “Exclusively” means that each of the (multiple) vhost.conf files for the subdomains redirects to my (single) ssl.conf files. I tried to renew the certificate in two different ways, each leading to a different error.
-
If I use “letsencrypt-auto renew --apache --dry-run” I get the following output:
Updating letsencrypt and virtual environment dependencies…
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt renew --apache --dry-run
Processing /etc/letsencrypt/renewal/subdomain4.domain.tld.conf
2016-04-06 12:47:49,928:WARNING:letsencrypt.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/subdomain4.domain.tld.conf produced an unexpected error: Failed to run Apache plugin non-interactively
Missing command line flag or config entry for this setting:
We were unable to find a vhost with a ServerName or Address of subdomain1.domain.tld.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
Choices:
[‘00-default-subdomain0.conf | Multiple Names | | Enabled’,
‘02-subdomain2.conf | subdomain2.domain.tld | | Enabled’,
‘03-subdomain3.conf | subdomain3.domain.tld | | Enabled’,
‘04-subdomain4.conf | subdomain4.domain.tld | | Enabled’,
‘01-subdomain1.conf | subdomain1.domain.tl | | Enabled’]
(The best solution is to add ServerName or ServerAlias entries to the VirtualHost directives of your apache configuration files.). Skipping.
** DRY RUN: simulating ‘letsencrypt renew’ close to cert expiry
** (The test certificates below have not been saved.)All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/subdomain4.domain.tld/fullchain.pem (failure)
** DRY RUN: simulating ‘letsencrypt renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
“subdomain1.domain.tl” in the last line of the “Choices” (which I cannot choose from) is not a typo. It is also the very ServerName of which letsencrypt is unable to find a corresponding vhost. However, I double-checked my vhost files (unencrypted and encrypted) and they do not contain the typo. I also grep’ed the whole server and did not find any file containing the misspelled ServerName.
-
If I use “letsencrypt-auto renew --apache --dry-run” I get a dialog about which names I would like activate HTTPS for. It gives me all my five subdomains (spelled correctly) and my domain and I choose all of them. Then I get a list of my vhost.conf files together with the corresponding ServerNames (or “Multiple Names” when a ServerAlias is present in the vhost.conf file). Here “subdomain.domain.tl” is misspelled again. In the dialog I get here I am asked to choose a virtual host for each (sub)domain. Then I get the following error message (all with server names spelled correctly):
Failed authorization procedure. domain.tld (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘subdomain1.domain.tld, subdomain2.domain.tld, subdomain4.domain.tld, subdomain0.domain.tld, domain.tld, subdomain3.domain.tld’, subdomain3.domain.tld (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘subdomain1.domain.tld, subdomain2.domain.tld, subdomain4.domain.tld, subdomain0.domain.tld, domain.tld, subdomain3.domain.tld’, subdomain4.domain.tld (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘subdomain1.domain.tld, subdomain2.domain.tld, subdomain4.domain.tld, subdomain0.domain.tld, domain.tld, subdomain3.domain.tld’, subdomain0.domain.tld (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘subdomain1.domain.tld, subdomain2.domain.tld, subdomain4.domain.tld, subdomain0.domain.tld, domain.tld, subdomain3.domain.tld’, subdomain2.domain.tld (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘subdomain1.domain.tld, subdomain2.domain.tld, subdomain4.domain.tld, subdomain0.domain.tld, domain.tld, subdomain3.domain.tld’, subdomain1.domain.tld (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘subdomain1.domain.tld, subdomain2.domain.tld, subdomain4.domain.tld, subdomain0.domain.tld, domain.tld, subdomain3.domain.tld’
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: domain.tld
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
’subdomain1.domain.tld, subdomain2.domain.tld,
subdomain4.domain.tld, subdomain0.domain.tld, domain.tld,
subdomain3.domain.tld’Domain: subdomain3.domain.tld
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
’subdomain1.domain.tld, subdomain2.domain.tld,
subdomain4.domain.tld, subdomain0.domain.tld, domain.tld,
subdomain3.domain.tld’Domain: subdomain4.domain.tld
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
’subdomain1.domain.tld, subdomain2.domain.tld,
subdomain4.domain.tld, subdomain0.domain.tld, domain.tld,
subdomain3.domain.tld’Domain: subdomain0.domain.tld
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
’subdomain1.domain.tld, subdomain2.domain.tld,
subdomain4.domain.tld, subdomain0.domain.tld, domain.tld,
subdomain3.domain.tld’Domain: subdomain2.domain.tld
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
’subdomain1.domain.tld, subdomain2.domain.tld,
subdomain4.domain.tld, subdomain0.domain.tld, domain.tld,
subdomain3.domain.tld’Domain: subdomain1.domain.tld
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
’subdomain1.domain.tld, subdomain2.domain.tld,
subdomain4.domain.tld, subdomain0.domain.tld, domain.tld,
subdomain3.domain.tld’To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
-
Since the webserver and the current certificate (expiring soon) are working fine, my A record is not the problem. Also my (sub)domain names seem to be entered correctly since in every instance the “Domain” is included in the list of (sub)domains given under “Details”. It also doesn’t seem to be a problem of order, since in the last instance (subdomain1…) the domain corresponds to the first domain in the list.
What then is the real problem? Is this a DNS, SAN, Apache or spelling problem? Any suggestions appreciated! Thank you very much in advance!