It produced this output:
Processing /etc/letsencrypt/renewal/jtcunifi.ddns.net.conf
2019-02-07 16:38:05,197:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/jtcunifi.ddns.net.conf produced an unexpected error: Failed authorization procedure. jtcunifi.ddns.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 88e0e5b31bed1413e8717a40d9b2c866.23d4f062129481699e3ea9edb1d3e283.acme.invalid from 35.227.18.103:443. Received 1 certificate(s), first certificate had names “jtcunifi.ddns.net”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jtcunifi.ddns.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: jtcunifi.ddns.net
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested 88e0e5b31bed1413e8717a40d9b2c866.23d4f062129481699e3ea9ed
b1d3e283.acme.invalid from 35.227.18.103:443. Received 1
certificate(s), first certificate had names “jtcunifi.ddns.net”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
My web server is (include version): I don’t know, Apache with mongodb I think, It’s a Unifi Controller
The operating system my web server runs on is (include version): Ubuntu 16.04.5
My hosting provider, if applicable, is: Google Cloud
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): letsencrypt 0.4.1
Hi, I simply wrote the wrong domain, my bad, it’s jtcunifi.ddns.net.
Is there a simple way to change the renew challenge? I tried --preferred-challenges http but, with no success. Thank you!
The --apache mode didn't support anything other than TLS-SNI-01 for a long time after Certbot 0.4.1, which is now almost three years old. You could upgrade to a newer version by using the PPA
Yes, it’s a Unifi SDN.
The error is as followed: letsencrypt: error: unrecognized arguments: --preferred-challenges http
Otherwise, I’m really unable to say if it’s apache or nginx, I’m pretty sure it’s apache as I don’t have nginx installed. I only had to install a package to get it running.
Do I need to revoke my certificate first and re-obtain it with the new version as it doesn’t have the same name? my version is simply called letsencrypt. Thanks!
I updated Certbot and here's what I get when I try dns and http:
Attempting to renew cert (jtcunifi.ddns.net) from /etc/letsencrypt/renewal/jtcunifi.ddns.net.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/jtcunifi.ddns.net/fullchain.pem (failure)
Alright guys! I figured it out!
So, when I updated certbot and installed python-certbot-apache, it also installed apache2 on my server.
I had redirections on my server from port 80 to 8080 hiding the apache2 instance running without my knowledge. So, I removed the redirection and stopped the apache2 service. After that, I simply did:
Also, I created a cron job to get my certificate automatically, do you think it will work?
0 */12 * * * root letsencrypt renew --preferred-challenges http --deploy-hook “/usr/local/bin/unifi_ssl_import.sh”
The bash script is simply to import it to my service afterward. Thank you!
You should not need to force this in the cron job.
Who knows, that may cause problems in the future. letsencrypt will use the latest setting found in the renewal.conf file.
The Certbot package also installed a systemd timer to renew your certificates, and it doesn't include your --deploy-hook option. So the hook may or may not be used depending on which cron job happens to run first and if it's saved elsewhere in your configuration.
In addition, it's problematic to run the renew command at a fixed time of day. (The package's timer runs twice a day at random times.)
Your deploy hook might be saved in the /etc/letsencrypt/renewal/ configuration files for your certificate(s). If that's the case, it will keep working (but you'll also have to specify it when manually issuing new certificates, so Certbot doesn't forget about it).
(There are other places you could have saved it, like /etc/letsencrypt/cli.ini, but that's uncommon.)
You can copy/symlink the script in /etc/letsencrypt/renewal-hooks/deploy/ to have Certbot automatically run it without having to edit any cron jobs or timers.
Thank you for the feedback! When you say save it, do you mean that I have to add these parameters in the jtcunifi.ddns.net.conf file? Like so: --pre-hook “ufw allow http&&service apache2 stop” --deploy-hook “/usr/local/bin/unifi_ssl_import.sh” --post-hook “ufw deny http”
Also, to get the package runtime running twice a day, is there a configuration to do, and, how do I ensure it does run?
Thanks!
Alright, so, I did a bit of research and found that I actually have to add the arguments to the cli.ini file and that by default it will take the config from this file. So, I added these lines: