What is TLS SNI challenge and associated "Correct zName" mean?


My best guess is that this issuance process assumes the associated host given in -d blah.blah.com param assume that’s a domain level (and has many hosts under it).

The way I ran it:
./letsencrypt-auto certonly --test-cert --standalone blah.blah.com

How can I get rid of the TLS SNI challege (I love TLS btw, with all the DROWN that’s going on… please don’t BASH me as I don’t have a clue about DROWN’s detail).

My scenario really is just I want to issue a strange certificate for a non-standard (no www. part cert) in the COMMON Name part of the Cert. So, I take it that the onry requires are forward and reverse and client connect to the IP/name-host are conenctable (yes I tested that many times). Because I am not in direct control over the DNS records; is it possible to by-pass any dig result “AUTHORITY: 0” error (wild guess that this TLS SNI challenge may have to do with that).

Please assist in anyway you can (also I am interested to use letsecrypt-aws but I am/want to pretend I’m a python newbie; I git-cloned it but cannot get it to run. And/but I know the exact path to a non-standard ngnix setup/path to install the pem files and know exactly what config file to change. All I really need is that pair of .pem (s) …

Please help, anyone (letsecrypt staff).

(tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge. Found ‘’


  • The following errors were reported by the server:

    Domain: ***.***.com
    Type: unauthorized
    Detail: Correct zName not found for TLS SNI challenge. Found ‘’

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.


I see you’re using the standalone plugin. With that plugin, you can add the following switch: --standalone-supported-challenges http-01. This should ‘disable’ the tls-sni-01 challenge, which is causing you trouble (for some reason I don’t know).


Thanks Osiris. I appreciate your in-time reply.

This is reply is just a follow-up to indicate that I have got the “live” cert at least configured.
I referenced https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
with some educated guesses.

I have yet to confirm the green lock (and any CA chain, but I assume installing just the cert.pem would work since you guys should be well known CA right?); but that’s due to some other integration licensing-extension issue which will be addressed separately.

I appreciate your organization’s just-in-time presence to allow me to work a AWS EC2 and ngnix based custom dir for free.
I look forward to your --ngnix and eventually ( -aws + ngix plugins being automatically -auto configured and working together without knowing too much python…) and supplying the correct/educated guess of the custom ngnix path. (Would a in-time in-place ngnix pid auto-detect running from passenger path be possible? that way if the standalone philosphy and arguments can just be switch to certonly --ngix or maybe even with .ssh key authorized_keys support, one could just run in combination on a mac.)



No, you will need to include at least the ptivate key, and generally the chain file.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.