What is TLS SNI challenge and associated "Correct zName" mean?


#1

My best guess is that this issuance process assumes the associated host given in -d blah.blah.com param assume that’s a domain level (and has many hosts under it).

The way I ran it:
./letsencrypt-auto certonly --test-cert --standalone blah.blah.com

How can I get rid of the TLS SNI challege (I love TLS btw, with all the DROWN that’s going on… please don’t BASH me as I don’t have a clue about DROWN’s detail).

My scenario really is just I want to issue a strange certificate for a non-standard (no www. part cert) in the COMMON Name part of the Cert. So, I take it that the onry requires are forward and reverse and client connect to the IP/name-host are conenctable (yes I tested that many times). Because I am not in direct control over the DNS records; is it possible to by-pass any dig result “AUTHORITY: 0” error (wild guess that this TLS SNI challenge may have to do with that).

Please assist in anyway you can (also I am interested to use letsecrypt-aws but I am/want to pretend I’m a python newbie; I git-cloned it but cannot get it to run. And/but I know the exact path to a non-standard ngnix setup/path to install the pem files and know exactly what config file to change. All I really need is that pair of .pem (s) …

Please help, anyone (letsecrypt staff).


(tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘’

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: ***.***.com
    Type: unauthorized
    Detail: Correct zName not found for TLS SNI challenge. Found ‘’

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.


#2

I see you’re using the standalone plugin. With that plugin, you can add the following switch: --standalone-supported-challenges http-01. This should ‘disable’ the tls-sni-01 challenge, which is causing you trouble (for some reason I don’t know).


#3

Thanks Osiris. I appreciate your in-time reply.

This is reply is just a follow-up to indicate that I have got the “live” cert at least configured.
I referenced https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
with some educated guesses.

I have yet to confirm the green lock (and any CA chain, but I assume installing just the cert.pem would work since you guys should be well known CA right?); but that’s due to some other integration licensing-extension issue which will be addressed separately.

I appreciate your organization’s just-in-time presence to allow me to work a AWS EC2 and ngnix based custom dir for free.
I look forward to your --ngnix and eventually ( -aws + ngix plugins being automatically -auto configured and working together without knowing too much python…) and supplying the correct/educated guess of the custom ngnix path. (Would a in-time in-place ngnix pid auto-detect running from passenger path be possible? that way if the standalone philosphy and arguments can just be switch to certonly --ngix or maybe even with .ssh key authorized_keys support, one could just run in combination on a mac.)

Thanks,


#4

No, you will need to include at least the ptivate key, and generally the chain file.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.