Wrong validation certificate

Trying to set up my own server using a domain named bestanswers.info (domain.com)
I am running the following command:
./certbot-auto --apache --agree-tos --email myemail@gmail.com --redirect -d bestanswers.info and after a short while I get the error message

The following errors were reported by the server:

_ Domain: bestanswers.info_
_ Type: unauthorized_
_ Detail: Incorrect validation certificate for tls-sni-01 challenge._
_ Requested_
_ 9598da770da21db081eb91b0964b896d.6228753d32c0ae559a1c27c856e376f5.acme.invalid_
_ from Received 3 certificate(s), first_
_ certificate had names “*.domain.com, domain.com”_

_ To fix these errors, please make sure that your domain name was_
_ entered correctly and the DNS A record(s) for that domain_

Any hints what can be done to fix the issue?

Hi @riteman,

I’ve been working on some documentation related to this so I’m going to try out my list of most common problems on you (maybe we can refine it or other people can suggest others). In this case, the Apache plugin is trying to reconfigure your Apache server to serve custom certificates requested by the CA (as proof that you really control the server for bestanswers.info), and the Apache plugin thought it succeeded, but it didn’t actually succeed.

The most common reason for this is that the Apache plugin currently has problems parsing configuration files that define more than one virtualhost within the same configuration file. This bug will be fixed in an upcoming release. Unfortunately, the plugin often fails to show a useful error when this happens. Is it possible that your Apache configuration includes a configuration file with more than one virtualhost defined in the same file?

Some other cases that may be applicable to this error:

  • You aren’t running Certbot on your web server

Most people should install and run Certbot on their web server hosting their website, not on their laptops or some other computer. While you can use Certbot in manual mode on a laptop and then separately set up the appropriate files on your webserver, it’s not likely to be the most convenient way to get a certificate for most users.

  • A domain name you’re requesting a certificate for isn’t correctly pointed at that web server

In most cases, every name you’re requesting a certificate for should already exist and be pointed to the server where you’re requesting that certificate. (Some alternatives exist for complex network configurations, but they’re the exception rather than the rule.)

  • You’re using a content delivery network (CDN)

TLS-SNI-01 doesn’t work with CDNs (like CloudFlare and Akamai). You have to use a different challenge type. (This is a special case of the previous problem: the domain name is pointed at the CDN, not directly at your server.)

  • A firewall is blocking access to port 443

The certificate authority needs to be able to connect to port 443 of your server in order to confirm that you satisfied the TLS-SNI-01 challenge. So that needs to be publicly reachable from the Internet, and not blocked by a router or firewall. [This is unlikely with the specific error that you saw, but could happen if the firewall itself tries to terminate or intermediate incoming HTTPS connections.]

  • The Apache plugin wasn’t right for this case

Certbot thinks you’re running Apache, but you aren’t running it, or you’re running a different server of some kind on port 443

  • Certbot doesn’t know how to modify your web server configuration correctly

The multiple virtualhosts per config file problem is currently the most common reason for this.

Hi Schoen

  • I have just set up a brand new basic Ubuntu Server with LAMP with a
    few PHP extensions so all settings are" untouched": I doubt that the
    configuration file have more virtualhosts in one file.
  • I am running Certbot on my server - I use Putty to access the Server.
  • I think you are spot on regarding not pointing correctly: I talked to
    Domain.coms support and they told me to set the A Record to point at their
    server and then use a Pointer in Stealth mode (so that users sees my domain
    name at all times) to point to my own server. I still think that the A
    Record should point to the fixed IP Address of my server where I have
    mapped the HTTP and HTTPS ports to the internal IP/Ports of that server.?
  • I am not using CDN
  • Port 443 is open
  • I am running Apache (LAMP)

That sounds right; I've never heard of "a pointer in stealth mode" before and I'm not quite sure what that means technically. However, the Let's Encrypt CA will try to connect directly to port 443 of the host indicated by the DNS A record and it expects to immediately be speaking to your server at that point.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.