Let’s Encrypt で Incorrect validation certificate for tls-sni-01 challenge の error が出る



インターネット上での身分証明書にあたるssl証明書は、高額で手が出ませんが、時代は確実にssl証明書無しではサイトにすら来てもらえない厳しい時代に突入していることは確かです。そこで、無料で利用できる自動化されていてオープンな認証局(CA)、Let’s Encrypt という外部認証局から無料のssl証明書を取得して運用しているのですが、下図の自動更新ができないとのメールが飛んできました。(画像はクリックすると拡大表示されます。以下同じ)



Let’s EncryptがInstall済みであること



[root@ufuso ~]# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Which names would you like to activate HTTPS for?
1: topi.0t0.jp
2: ufuso.dip.jp
3: ufuso.org
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for topi.0t0.jp
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. topi.0t0.jp (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested f25953eda98e352e941a88db3c4cdda9.ed89753aea2f88a77434c43de7dd7630.acme.invalid from Received 1 certificate(s), first certificate had names "ufuso.dip.jp"

 - The following errors were reported by the server:

   Domain: topi.0t0.jp
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   from Received 1 certificate(s), first certificate
   had names "ufuso.dip.jp"
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert 
:: too many certificates already issued for: dip.jp
Please see the logfiles in /var/log/letsencrypt for more details.

SSL/TLS サーバ証明書の取得

#certbotはLet's Encryptを利用するためのコマンド、 authenticatorは証明書
--installer nginxはnginxに証明書を自動でInstall、-d ufuso.dip.jp はドメイ
ン証明書を取得するDomainの指定、--pre-hook "systemctl stop nginx"は取得前
にnginを゜stop、 --post-hook "systemctl start nginx"は取得後にnginxをstart
[root@ufuso ~]# certbot --authenticator standalone --installer nginx   -d ufuso.dip.jp --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/ufuso.dip.jp.conf)

What would you like to do?
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deployed Certificate to VirtualHost /etc/nginx/nginx.conf for set(['ufuso.dip.jp'])

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Traffic on port 80 already redirecting to ssl in /etc/nginx/nginx.conf

Congratulations! You have successfully enabled https://ufuso.dip.jp

You should test your configuration at:

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2018-12-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


[root@ufuso ~]# vi /etc/nginx/nginx.conf
#user  nginx;
user  apache;
#worker_processes  1;
worker_processes auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
    use epoll; #I/O多重化指定

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    gzip  on;

    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 ;
        listen       [::]:80;
        listen       443 ssl http2;
        server_name  ufuso.org;
        #root  /var/www/html;
        root   /usr/share/nginx/html;
        index index.php index.html index.htm;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/ufuso.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ufuso.org/privkey.pem; # managed by Certbot

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        listen       443 ssl http2;
        server_name  ufuso.dip.jp;
        root  /var/www/html;
        #root         /usr/share/nginx/html;
        index index.php index.html index.htm;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/ufuso.dip.jp/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ufuso.dip.jp/privkey.pem; # managed by Certbot

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location ~ \.php$ {
            include /etc/nginx/fastcgi_params;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        error_page 404 /404.html;
            location = /40x.html {

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {


server {
        listen       443 ssl http2;
        server_name topi.0t0.jp; #クライアントがアクセスするURL
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        location / {
        proxy_pass; #ウェブサーバーBのIPアドレス
ssl_certificate /etc/letsencrypt/live/topi.0t0.jp/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/topi.0t0.jp/privkey.pem; # managed by Certbot




[root@ufuso ~]# certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/topi.0t0.jp.conf
Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/ufuso.org.conf
Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/ufuso.dip.jp.conf
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/topi.0t0.jp/fullchain.pem (skipped)
  /etc/letsencrypt/live/ufuso.org/fullchain.pem (skipped)
  /etc/letsencrypt/live/ufuso.dip.jp/fullchain.pem (skipped)
No renewals were attempted.
No hooks were run.

[root@ufuso~]# vi /etc/crontab

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
 0  5  *  *  0 root certbot renew -q --pre-hook "service nginx stop" --post-hook "service nginx start"
