Unable to renew a cert for a domain alias


#1

I have my domain mapped to stackpath CDN. I had created a certificate but don’t remember the process right now. If I am trying to renew, its giving the following errors.

Pls assist.

My domain is:
js.assets.botman.ninja

I ran this command:
sudo certbot renew

It produced this output:
Attempting to renew cert (js.assets.botman.ninja) from /etc/letsencrypt/renewal/js.assets.botman.ninja.conf produced an unexpected error: Failed authorization procedure. js.assets.botman.ninja (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested bf38d182749efbd04ac65b6b5278ddc0.70454125669bb092f50f3eb73e584269.acme.invalid from 151.139.240.13:443. Received 2 certificate(s), first certificate had names “*.stackpathdns.com, stackpathdns.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/js.assets.botman.ninja/fullchain.pem (failure)

My web server is (include version):
Apache2.4

The operating system my web server runs on is (include version):
Ubuntu 14.04

My hosting provider, if applicable, is:
Google Cloud

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes. I can

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Your certbot configuration is renewing the certificate with the TLS-SNI-01 challenge type. This challenge type won’t work with a CDN in front of your website terminating TLS on your behalf (and this challenge type has also been deprecated and can’t be used except for renewals).

@deeps What version of Certbot are you using? You will want to change to using the HTTP-01 challenge with the Certbot nginx plugin. If you share more information about your Certbot instance and how you installed it someone can likely provide you with the steps required.


#3

Hey @cpu , I got the clue and used the option of --preferred-challenges in the option, and specified http. It renewed the certs instantly.

Thanks for the tip.


#4

Great! Glad to hear it worked :slight_smile:


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.