Unable to renew or create cert


#1

Hi,

I was unable to renew my certificates on a webserver. Removed them and tryed to create new ones. This fails with the following message:

Failed authorization procedure. odoo.ex-nihilo-paris.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 17b1dc0fff166e54361b527a012851e4.5cf4899048b6d55247147a2358a56424.acme.invalid from [2001:41d0:8:8ad3::]:443. Received 1 certificate(s), first certificate had names "odoo.ex-nihilo-paris.com"

   Domain: odoo.ex-nihilo-paris.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   17b1dc0fff166e54361b527a012851e4.5cf4899048b6d55247147a2358a56424.acme.invalid
   from [2001:41d0:8:8ad3::]:443. Received 1 certificate(s), first
   certificate had names "odoo.ex-nihilo-paris.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My domain is: odoo.ex-nihilo-paris.com

I ran this command: sudo certbot --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: odoo.ex-nihilo-paris.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):1
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for odoo.ex-nihilo-paris.com
Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0003_key.pem
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
  result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. odoo.ex-nihilo-paris.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 17b1dc0fff166e54361b527a012851e4.5cf4899048b6d55247147a2358a56424.acme.invalid from [2001:41d0:8:8ad3::]:443. Received 1 certificate(s), first certificate had names "odoo.ex-nihilo-paris.com"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: odoo.ex-nihilo-paris.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   17b1dc0fff166e54361b527a012851e4.5cf4899048b6d55247147a2358a56424.acme.invalid
   from [2001:41d0:8:8ad3::]:443. Received 1 certificate(s), first
   certificate had names "odoo.ex-nihilo-paris.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Checked the DNS configuration: correct.

$ dig odoo.ex-nihilo-paris.com A +short
5.39.72.211

dig odoo.ex-nihilo-paris.com AAAA +short
2001:41d0:8:8ad3::

Access to http://odoo.ex-nihilo-paris.com/.well-known/test.txt works fine on both a IPv4 computer and IPv6 computer.

My web server is (include version): nginx/1.6.2

The operating system my web server runs on is (include version): Debian 8 Jessie (edited, was Ubuntu 16.04 by mistake)

My hosting provider, if applicable, is: OVH.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2
  1. Make sure you are upgraded to the latest version of Certbot: https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx. The behavior of your Certbot indicates it may be pretty old.
  2. Try add --preferred-challenges http to the end of your certbot command, TLS-SNI was disabled a while ago, and this is also somewhat related to old Certbot versions.

#3

Hi _az,

Current certbot version: certbot 0.10.2

  1. Update not possible: http://ppa.launchpad.net/certbot/certbot/ubuntu/dists/jessie/main/binary-amd64/Packages 404 Not Found
    Seems package for Debian 8 Jessie is not updated anymore.

  2. Also tried certbot --nginx --preferred-challenges http. Gave me:

    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    None of the preferred challenges are supported by the selected plugin

Any idea?


#4

Why are you using the Jessie repo? Ubuntu 16.04 (Xenial) has its own repo and instructions …


#5

Error on my first post: OS is not Ubuntu 16.04 but Debian 8 (mistaken with another server on Ubuntu)


#6

You’ll need to remove that PPA, it’s for Ubuntu only.

While Jessie is still an actively maintained distro, it looks like jessie-backports hasn’t upgraded Certbot in a long time and has the problem with challenges as you describe.

Maybe give certbot-auto a shot, it would be compatible with your existing Let’s Encrypt data and actually get you an up-to-date version.

I ran through your use-case in a debian:jessie Docker container and was able to use --nginx with certbot-auto successfully.

Alternatively, you could stick to your current unupgraded version of Certbot from repos and use the webroot authenticator instead of --nginx (which is an alias for -i nginx -a nginx):

certbot -i nginx -a webroot -w /path/to/your/webroot

to avoid all of these issues. It just means that you’ll need to manually identify the webroot and ensure that validation requests end up in the right place OK.

The reason for your issue on Jessie is that --nginx is only capable of the TLS-SNI challenge at that version, which is not longer functional. At some point Certbot was enhanced to support the HTTP challenge in conjunction with the nginx plugin, but it’s not possible to get that version in the Jessie repos.


#7

Hi _az,

Finally I managed to run certbot and install certificates manually with
sudo certbot certonly --webroot -w /var/www/example -d example.com

Thanks for your help.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.