Unable to renew certificates. Incorrect validation certificate [solved]


#1

I issue a normal

certbot renew --dry-run

And I get this response:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.collstrup.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.collstrup.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.collstrup.com) from /etc/letsencrypt/renewal/www.collstrup.com.conf produced an unexpected error: Failed authorization procedure. collstrup.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 177ed000e6184440ac342f05cef3d3e8.6f8e3d6ef80587ee6b8087dce4c8cc64.acme.invalid from 77.215.239.148:443. Received 2 certificate(s), first certificate had names “collstrup.com” (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. …
Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.collstrup.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.collstrup.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: collstrup.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    177ed000e6184440ac342f05cef3d3e8.6f8e3d6ef80587ee6b8087dce4c8cc64.acme.invalid
    from 77.215.239.148:443. Received 2 certificate(s), first
    certificate had names “collstrup.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

(snipped because of max link limit)
DNS is correct.


#2

Please share your /var/log/letsencrypt/letsencrypt.log file. Use the </> button before pasting it to prevent the forum software from creating links in it.


#3

Here it comes.

log is to big … even for the </> button so it comes as a paste bin

https://pastebin.com/4hGjuV22

/Anders


#4

The pastebin made me take another and closer look at the log file.

It seams that certbot create a temp ssl conf file in /etc/httpd/conf.d

But since I use php7 from scl on centos7 then I need httpd24 from scl as well.
So my conf.d is in /opt/rh/httpd24/root/etc/httpd/conf.d

So I made a symbolic link from /etc/httpd/conf.d -> /opt/rh/httpd24/root/etc/httpd/conf.d
and then it worked :slight_smile:
At least from command line with --dry-run. So I will wait now and check if not the cronjob want to update the certs.

Thanks for the help


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.