My certificate failed to renew the last couple days, so I checked the modules and updated certificate manage form 13.0.34 to 13.0.34.4. No change.
There was an error updating the certificate: Verification ended with error: {"identifier":{"type":"dns","value":"fpbx.domain.com"},"status":"invalid","expires":"2016-12-23T16:43:50Z","challenges":[{"type":"dns-01","status":"pending","uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/<snippysnip>\/NNNNNNNN","token":"<snip>"},{"type":"tls-sni-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Incorrect validation certificate for TLS-SNI-01 challenge. Requested <snip>.acme.invalid from XXX.XXX.XXX.XXX:443. Received certificate containing 'fpbx.domain.com'","status":403},"uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/<snippysnip>\/NNNNNNNN","token":"<snip>","keyAuthorization":"<snip>","validationRecord":[{"hostname":"fpbx.domain.com","port":"443","addressesResolved":["XXX.XXX.XXX.XXX"],"addressUsed":"XXX.XXX.XXX.XXX"}]},{"type":"http-01","status":"pending","uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/<snippysnip>\/NNNNNNNN","token":"<snip>"}],"combinations":[[0],[2],[1]]}
Is there a reference for that? This was only ever setup from the GUI. Is it using Certbot behind the scenes? I know how to use that. If it is some other ACME client, which one?
The URL in the error only load the status. It does not attempt a reauthentication.
But if you read the error, it is saying that the TLS failed to verify. It says it requested something from >hex string<.acme.invalid and received my fpbx.domain.com instead and thus failed.
I changed the update to use HTTP and not HTTPS and it successfully updated.
This is an error in your code. It should have successfully updated with HTTPS.
"detail": "Incorrect validation certificate for TLS-SNI-01 challenge. Requested 059ccc1db1ba951d5ac8a10be503259d.80caebfc00326120e2ebb436dfa2091a.acme.invalid from 107.XXX.XXX.135:443. Received certificate containing 'fpbx.domain.com'",
"status": 403
I disagree. This is not an error in our code as is evident from other people successfully renewing with TLS in the other thread.
You didn’t do as I asked. But it’s too late now. Specifically you’d go to the https address and use the .well-known prefix that is “blocked” then you’d see if the token is in that folder and if you can hit it.
That means that when letsencrypt tried to reach that URL, your server returned 403, which means permission denied. There is a URL in the error. You can copy and paste that into a browser, and see what the problem is.
The problem will be a 403 permission denied. That 403 permission denied was due to a typo in /etc/httpd/conf.d/ssl.conf that did NOT allow .well-known. That is fixed as of sysadmin 14.0.5.3.
This is what it should look like
<VirtualHost _default_:443>
ServerName sng7.xrobau.com:443
LogLevel warn
SSLEngine on
SSLCertificateFile /etc/httpd/pki/webserver.crt
SSLCertificateKeyFile /etc/httpd/pki/webserver.key
SSLCertificateChainFile /etc/httpd/pki/ca-bundle.crt
DocumentRoot /var/www/html/ucp/
SetEnvIf User-Agent '.*MSIE.*' nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
Alias /.well-known /var/www/html/.well-known
Alias /.freepbx-known /var/www/html/.freepbx-known
RewriteEngine on
RewriteRule ^/\.(well-known|freepbx-known)/ - [H=text/plain,L]
RewriteRule (^\.|/\.) - [F]
</VirtualHost>
If you want to run the update manually, you can take a copy of /etc/httpd/conf.d/ssl.conf and then run the sysadmin hook (as root):