Let's encrypt nginx server tls-sni-01 challenge

Question

I have a domain, let's say domain.com

This domain was registered with Go Daddy and using the Go Daddy dashboard, I point the domain to a certain IP, let's say 1.2.3.4

This IP, 1.2.3.4, belongs to a AWS EC2 instance.

The machine runs Ubuntu and serves the content I desire using nginx.

lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.2 LTS
Release:    16.04
Codename:   xenial

nginx -v

nginx version: nginx/1.10.3 (Ubuntu)

I set up my SSL certificates with Let's Encrypt using certbot. I did that by issuing the command sudo certbot --nginx

The certificate was generated and everything went very well for three months. My site was correctly served over https, with a valid certificate.

My certificate expired recently, so I attempted to renew. I issued this command first.

sudo certbot renew

The error was something like this:

Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested 243e624c366db6a6f6aca6ac57f6f3cc.16fe65202571c102848dfa2b97afa875.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com"

WARNING:certbot.renewal:Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 243e624c366db6a6f6aca6ac57f6f3cc.16fe65202571c102848dfa2b97afa875.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com". Skipping.

When I issued this command, the nginx server was still running. I stopped the server and tried again and also tried other variations on the command. I tried running sudo certbot renew again, sudo certbot --nginx again, I tried sudo certbot renew --agree-tos and others.

I was not aware of the rate limit Let's Encrypt imposes. The last time I tried I got the error:

Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.

After I get access again to Let's Encrypt, how should I solve this problem?

How do I renew my Let's Encrypt certificate for a nginx server running on a Ubuntu machine?

Why do I get Incorrect validation certificate for tls-sni-01 challenge?

Should I remove certbot and all certificates entirely and reinstall?

What approaches do you suggest for this problem?

Thanks!

Edit 2: Server Configuration

server {
    listen 80;
    server_name domain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name domain.com;

    location / {
        root /home/deploy/frontend/build;
        try_files $uri /index.html;
    }

ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
}

Edit 3:

This is the full error for certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: domain.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 8e2860a15c352af70bba07e265c4e05d.01f665a017c20bd5d2c25f1ec2110b6b.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   8e2860a15c352af70bba07e265c4e05d.01f665a017c20bd5d2c25f1ec2110b6b.acme.invalid
   from 1.2.3.4:443. Received 2 certificate(s), first certificate
   had names "domain.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

What's your NGINX configuration look like? There are a multitude of issues that could be the culprit. — Daniel Cazares, Jan 28 '18 at 13:59
Sorry, I should've been more clear. The configuration (most likely in conf.d) declaring your server block configuration. — Daniel Cazares, Jan 28 '18 at 14:08
@DanielCazares I added the nginx configuration in the question body. I will try to remove all existing certificates and also reinstall certbot and try to see if I can get a certificate again. I am not entirely sure how Let's Encrypt works but isn't the certificate bound to them as oppose to the machine? If I can't renew the certificate and I can't issue a new one, what do I do? — mayk93, Jan 28 '18 at 14:09
@DanielCazares Do you mean here? /etc/nginx/conf.d This directory is empty for me. I have server blocks (as in server {}) declared in sites-available. I will post those, if that's what you mean. — mayk93, Jan 28 '18 at 14:12
I added the config, as mentioned, from sites available because conf.d is empy. There is a mention of the certificates there and a redirect from http to https, but that's all really. I checked the path and the files are there: cert.pem chain.pem fullchain.pem privkey.pem README — mayk93, Jan 28 '18 at 14:19
Best course of action I can tell you to do is to read through the entirety of https://certbot.eff.org/docs/using.html Looks like you might have to shut off NGINX in your pre-hook for certbot renew, but I'm just hazarding a guess. — Daniel Cazares, Jan 28 '18 at 14:28
Ok, thanks for the advice. I will read through. First I tried to renew with nginx running then with it shut down. — mayk93, Jan 28 '18 at 14:36

score 1 · Answer 1 · answered Jan 29 '18 at 06:25

Let’s Encrypt permanently disabled the TLS-SNI-01 challenge303 due to a security report, as of 2018-01-09.

you can use the command :

sudo certbot --authenticator standalone --installer nginx -d example.com --pre-hook “service nginx stop” --post-hook “service nginx start”

https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983

score 0 · Accepted Answer · answered Jan 28 '18 at 15:48

The solution that I found was to use this command:

sudo certbot --authenticator webroot --installer nginx

What this does, essentially is to reissue the certificate. However, in my case, this was not enough. The check done for this approach involves hitting this url:

Failed authorization procedure. example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/6OmVoBFxfKtjdAO1bgM9ylZw0d7U7MVC8KqyS6A2LfU: "<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shr"

Note: I used domain.com as an example in my question but in the answer i am forced to use example.com

The way my nginx server was setup, http://example.com/ was not reachable, because I had return 301 https://$server_name$request_uri;

What I had to do was allow on http access to my webroot, /home/deploy/frontend/build get the certificate and revert the settings.

I hope this helps.

Let's encrypt nginx server tls-sni-01 challenge

2 Answers2