Wrong validation certificate

riteman · April 10, 2017, 11:11pm

Trying to set up my own server using a domain named bestanswers.info (domain.com)
I am running the following command:
./certbot-auto --apache --agree-tos --email myemail@gmail.com --redirect -d bestanswers.info and after a short while I get the error message

The following errors were reported by the server:

_ Domain: bestanswers.info_
_ Type: unauthorized_
_ Detail: Incorrect validation certificate for tls-sni-01 challenge._
_ Requested_
_ 9598da770da21db081eb91b0964b896d.6228753d32c0ae559a1c27c856e376f5.acme.invalid_
_ from 66.96.162.149:443. Received 3 certificate(s), first_
_ certificate had names “*.domain.com, domain.com”_

_ To fix these errors, please make sure that your domain name was_
_ entered correctly and the DNS A record(s) for that domain_

Any hints what can be done to fix the issue?

schoen · April 11, 2017, 1:21am

Hi @riteman,

I’ve been working on some documentation related to this so I’m going to try out my list of most common problems on you (maybe we can refine it or other people can suggest others). In this case, the Apache plugin is trying to reconfigure your Apache server to serve custom certificates requested by the CA (as proof that you really control the server for bestanswers.info), and the Apache plugin thought it succeeded, but it didn’t actually succeed.

The most common reason for this is that the Apache plugin currently has problems parsing configuration files that define more than one virtualhost within the same configuration file. This bug will be fixed in an upcoming release. Unfortunately, the plugin often fails to show a useful error when this happens. Is it possible that your Apache configuration includes a configuration file with more than one virtualhost defined in the same file?

Some other cases that may be applicable to this error:

You aren’t running Certbot on your web server

Most people should install and run Certbot on their web server hosting their website, not on their laptops or some other computer. While you can use Certbot in manual mode on a laptop and then separately set up the appropriate files on your webserver, it’s not likely to be the most convenient way to get a certificate for most users.

A domain name you’re requesting a certificate for isn’t correctly pointed at that web server

In most cases, every name you’re requesting a certificate for should already exist and be pointed to the server where you’re requesting that certificate. (Some alternatives exist for complex network configurations, but they’re the exception rather than the rule.)

You’re using a content delivery network (CDN)

TLS-SNI-01 doesn’t work with CDNs (like CloudFlare and Akamai). You have to use a different challenge type. (This is a special case of the previous problem: the domain name is pointed at the CDN, not directly at your server.)

A firewall is blocking access to port 443

The certificate authority needs to be able to connect to port 443 of your server in order to confirm that you satisfied the TLS-SNI-01 challenge. So that needs to be publicly reachable from the Internet, and not blocked by a router or firewall. [This is unlikely with the specific error that you saw, but could happen if the firewall itself tries to terminate or intermediate incoming HTTPS connections.]

The Apache plugin wasn’t right for this case

Certbot thinks you’re running Apache, but you aren’t running it, or you’re running a different server of some kind on port 443

Certbot doesn’t know how to modify your web server configuration correctly

The multiple virtualhosts per config file problem is currently the most common reason for this.

riteman · April 11, 2017, 11:00am

Hi Schoen

I have just set up a brand new basic Ubuntu Server with LAMP with a
few PHP extensions so all settings are" untouched": I doubt that the
configuration file have more virtualhosts in one file.
I am running Certbot on my server - I use Putty to access the Server.
I think you are spot on regarding not pointing correctly: I talked to
Domain.coms support and they told me to set the A Record to point at their
server and then use a Pointer in Stealth mode (so that users sees my domain
name at all times) to point to my own server. I still think that the A
Record should point to the fixed IP Address of my server where I have
mapped the HTTP and HTTPS ports to the internal IP/Ports of that server.?
I am not using CDN
Port 443 is open
I am running Apache (LAMP)

schoen · April 11, 2017, 5:41pm

That sounds right; I've never heard of "a pointer in stealth mode" before and I'm not quite sure what that means technically. However, the Let's Encrypt CA will try to connect directly to port 443 of the host indicated by the DNS A record and it expects to immediately be speaking to your server at that point.

system · May 11, 2017, 5:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Incorrect validation certificate for tls-sni-01 challenge again and again Help	14	3198	September 2, 2017
Certbot - TLS-SNI Apache Challenge Doesn't Pass - Alternatives Help	14	2929	June 29, 2017
Cerbot-Auto Renewing Not Working on Apache Due to VHOST Configs Server	9	1858	April 26, 2017
Certbot unauthorized Server	13	6343	August 10, 2017
Certificate name mismatch on a dedicated server Server	4	823	November 19, 2018

Wrong validation certificate

Related topics