Urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge

Erwann · January 16, 2017, 1:49pm

Please fill out the fields below so we can help you better.

My domain is:
vertyges.fr, www.vertyges.fr

I ran this command:
certbot renew

It produced this output:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.vertyges.fr.conf
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/vertyges.fr-0001.conf
-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/vertyges.fr-0001/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.vertyges.fr/fullchain.pem (failure)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.vertyges.fr
   Type:   unauthorized
   Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
   Requested
   a8bde4f7a060207dd7b67149f251a0de.46d2c2e15b30191456e0a32aee4917a9.acme.invalid
   from 176.187.163.151:443. Received certificate containing
   'vertyges.fr, www.vertyges.fr'

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.vertyges.fr.conf
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/vertyges.fr-0001.conf
-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/vertyges.fr-0001/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.vertyges.fr/fullchain.pem (failure)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.vertyges.fr
   Type:   unauthorized
   Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
   Requested
   2d23ae962408be9b1f1bd72369525a42.3fde0c30024687bfcbd00e54300e36dc.acme.invalid
   from 176.187.163.151:443. Received certificate containing
   'vertyges.fr, www.vertyges.fr'

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My operating system is (include version):
Debian 8.7 (stable version)

My web server is (include version):
Apache (stable Debian version)

My hosting provider, if applicable, is:
(self hosting)

I can login to a root shell on my machine (yes or no, or I don’t know):
yes. Command run with “root” user

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no : Direct shell access

Additional info :
Last automatic update : 16/17/2016, successfully
2016-12-16 23:01:22,501:DEBUG:certbot.storage:Writing new private key to /etc/letsencrypt/archive/vertyges.fr-0001/privkey3.pem.
2016-12-16 23:01:22,502:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/archive/vertyges.fr-0001/cert3.pem.
2016-12-16 23:01:22,509:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/archive/vertyges.fr-0001/chain3.pem.
2016-12-16 23:01:22,510:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/archive/vertyges.fr-0001/fullchain3.pem.
2016-12-16 23:01:32,305:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/vertyges.fr-0001.conf.new.
2016-12-16 23:01:48,272:DEBUG:certbot.renewal:no renewal failures

All automatic updates in error from the day after, not see before.
certificates expired this morning, I don’t know why. (only 30 days from last successfully update, not 90 days)

Thanks for help, I don’t know what’s wrong.

Erwann · January 16, 2017, 2:01pm

EDIT :
changed DNS record from CNAME to A.
have to wait to be populated
www.vertyges.fr. 14666 IN CNAME vertyges.fr.
vertyges.fr. 7083 IN A 176.187.163.151

Erwann · January 17, 2017, 9:14am

DNS OK
vertyges.fr. 32047 IN A 176.187.163.151
www.vertyges.fr. 38628 IN A 176.187.163.151

Attempting to renew cert from /etc/letsencrypt/renewal/www.vertyges.fr.conf produced an unexpected error: Failed authorization procedure. www.vertyges.fr (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 272f0c6ed9478a1fe6c88bd045f0fc7d.a2d2cd7aec09222b7183ffae48e309b6.acme.invalid from 176.187.163.151:443. Received certificate containing ‘vertyges.fr, www.vertyges.fr’. Skipping.

Erwann · January 18, 2017, 12:30pm

Update
Found in apache error.log while renewing certificate attempt
[Wed Jan 18 00:01:06.995595 2017] [mpm_prefork:notice] [pid 1839] AH00171: Graceful restart requested, doing restart
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
[Wed Jan 18 00:01:12.467914 2017] [core:error] [pid 1839] (EAI 2)Name or service not known: AH00549: Failed to resolve server name for 176.187.163.151 (check DNS) – or specify an explicit ServerName
[Wed Jan 18 00:01:13.102116 2017] [ssl:warn] [pid 1839] AH01906: bf75f773447d559bc9f389f6990c6aca.2190269e318f3d59bba1188ae8343947.acme.invalid:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Jan 18 00:01:13.103986 2017] [ssl:warn] [pid 1839] AH01906: 4797ded79aa6b68f15b96153a395ed0f.ae04b0f86790afa08314a3f2230d030f.acme.invalid:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Jan 18 00:01:13.119635 2017] [wsgi:warn] [pid 1839] mod_wsgi: Compiled for Python/2.7.8.
[Wed Jan 18 00:01:13.119709 2017] [wsgi:warn] [pid 1839] mod_wsgi: Runtime using Python/2.7.9.
[Wed Jan 18 00:01:13.119941 2017] [mpm_prefork:notice] [pid 1839] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t mod_wsgi/4.3.0 Python/2.7.9 configured – resuming normal operations
[Wed Jan 18 00:01:13.119970 2017] [core:notice] [pid 1839] AH00094: Command line: ‘/usr/sbin/apache2’
[Wed Jan 18 00:01:32.872756 2017] [mpm_prefork:notice] [pid 1839] AH00171: Graceful restart requested, doing restart
[Wed Jan 18 00:01:38.240545 2017] [core:error] [pid 1839] (EAI 2)Name or service not known: AH00549: Failed to resolve server name for 176.187.163.151 (check DNS) – or specify an explicit ServerName
[Wed Jan 18 00:01:38.363998 2017] [wsgi:warn] [pid 1839] mod_wsgi: Compiled for Python/2.7.8.
[Wed Jan 18 00:01:38.364035 2017] [wsgi:warn] [pid 1839] mod_wsgi: Runtime using Python/2.7.9.
[Wed Jan 18 00:01:38.364139 2017] [mpm_prefork:notice] [pid 1839] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t mod_wsgi/4.3.0 Python/2.7.9 configured – resuming normal operations
[Wed Jan 18 00:01:38.364151 2017] [core:notice] [pid 1839] AH00094: Command line: ‘/usr/sbin/apache2’

directive “/var/lib/letsencrypt/tls_sni_01_page/” not found, nether in /etc/apache2 or /etc/letsencrypt or /etc/letsencrypt.sh or /var/lib/letsencrypt or /var/lib/letsencrypt.sh

help welcome

serverco · January 18, 2017, 2:10pm

What method did you use to create the certificates originally ? the “renew” option will try and repeat that.

As you have apache running, is there any reason to use the TLS challenge ? i’d be tempted to obtain new certificates using the HTTP challenge, and the “renew” should follow the same approach.

Erwann · January 19, 2017, 2:02pm

Hello

I don't remember how, but I remember that it wasn't easy...
but it worked until now... I don't understand why

I ran

certbot certonly --apache --preferred-challenges http-01 -d www.vertyges.fr -d vertyges.fr

I have this answear

Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: None of the preferred challenges are supported by the selected plugin

I think I need plugin/ .deb...

jmorahan · January 19, 2017, 3:19pm

You could try using the webroot plugin instead of the apache plugin. It supports http-01 and is included with certbot so no extra .deb needed.

Erwann · January 20, 2017, 10:39am

Hello

I ran

certbot certonly --webroot-path /var/www/externe --preferred-challenges http-01 -d www.vertyges.fr -d vertyges.fr

I had this

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.vertyges.fr
http-01 challenge for vertyges.fr
Using the webroot path /var/www/externe for all unmatched domains.
Waiting for verification... 
Cleaning up challenges
Generating key (2048 bits):
/etc/letsencrypt/keys/0008_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.vertyges.fr/fullchain.pem. Your cert will
   expire on 2017-04-20. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The certificate should be renewed well but Apache points to the former one
> www.vertyges.fr uses an invalid security certificate. The certificate expired on 16/01/2017 10:19. The current time is 20/01/2017 10:57. Error code: SEC_ERROR_EXPIRED_CERTIFICATE

I have to check Apache config now

Regards

pfg · January 20, 2017, 10:51am

Unlike the apache plugin you previously used, the webroot plugin does not automatically reload your apache after renewal. That’s needed to load the new certificate from disk. You would have to run apache2ctl graceful afterwards to do that (this can be part of your cronjob, for example via --renew-hook "apache2ctl graceful".

Erwann · January 20, 2017, 1:23pm

Reloaded Apache config and ALL WORK WELL !!!
I updated cron job
Thanks very mutch to pfj, jmorahan and serverco!

system · February 19, 2017, 1:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.