Incorrect validation certificate for tls-sni-01 challenge 해결

---

Let’s Encrypt를 사용한 SSL 인증서를 갱신하기 위해 certbot 명령을 실행할 때 다음과 같은 에러 메세지를 출력하며 진행되지 않는 경우가 있습니다.

[user@localhost ~] certbot renew
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain.com
tls-sni-01 challenge for www.mydomain.com
TLS-SNI-01 is deprecated, and will stop working soon.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Failed authorization procedure. www.mydomain.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested a6f5c6278e55ab77829c7728f131b23c.db022d95c42b0caa977421e2e211e889.acme.invalid from ###.###.###.###:443. Received 2 certificate(s), first certificate had names "mydomain.com, www.mydomain.com", mydomain.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 4d9061a564da289e018e014e209e40c9.b725884a7a9819e0a91856f4d12d9bc7.acme.invalid from ###.###.###.###:443. Received 2 certificate(s), first certificate had names "mydomain.com, www.mydomain.com". Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

Domain: www.mydomain.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   a6f5c6278e55ab77829c7728f131b23c.db022d95c42b0caa977421e2e211e889.acme.invalid
   from ###.###.###.###:443. Received 2 certificate(s), first
   certificate had names "mydomain.com, www.mydomain.com"

   Domain: mydomain.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   4d9061a564da289e018e014e209e40c9.b725884a7a9819e0a91856f4d12d9bc7.acme.invalid
   from ###.###.###.###:443. Received 2 certificate(s), first
   certificate had names "mydomain.com, www.mydomain.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

 

에러 메세지가 길게 표시되었는데 여기서 하단의 ‘Detail’ 에러 메세지를 참고하면 다음과 같이 나와있습니다.

Incorrect validation certificate for tls-sni-01 challenge.

 

 

해결 방법

이 문제를 해결하기 위해 다음 명령어로 인증서를 갱신해야 합니다.

certbot certonly -d mydomain.com --manual --preferred-challenges dns

--preferred-challenges dns 옵션을 붙여주면 ACME(Automated Certificate Management Environment) 프로토콜이 인증서 서명 요청을 위한 선호 방법을 DNS로 지정하게 됩니다.

명령을 실행하면 다음과 같이 진행될 것입니다.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

이후 만약 기존에 설정된 인증서가 존재한다면 다음과 같이 나타날 것입니다.

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mydomain.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

여기서는 기존의 인증서를 폐기하고 새로운 인증서로 갱신하기로 하여 2를 입력하였습니다.

다음으로 나타나는 메세지는 인증서 갱신을 요청한 장치의 IP가 공개적으로 기록되는 것임을 알리는 프롬프트입니다.

Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for mydomain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Y를 입력하여 계속 진행합니다.

마지막으로 acme 요청을 위해 DNS 서버를 수정하라는 내용입니다. 아래 내용에서 Enter를 누르지 않은 상태로 유지해주세요.

Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.com with the following value:

V9f2_ay6H-HfBAYDkco07wNjdYdxSjX-TfFxsAJS8vS

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

 

이제 도메인을 관리하는 호스팅이나 클라우드에서 TXT 레코드를 추가해주어야 합니다. 직접 편집할 수 없는 경우 서버 관리자에게 요청해야 할 수도 있습니다.

TXT레코드 설정 예시

• 도메인 : _acme-challenge.mydomain.com
• TTL : 1800 / 3600
• 값(Value) : V9f2_ay6H-HfBAYDkco07wNjdYdxSjX-TfFxsAJS8vS
• Routing Policy (AWS Route 53인 경우) : Simple

 

만약 서브 도메인이 여러개 있다면 각각의 서브 도메인 이름으로 명령을 실행해주어야 합니다. 물론 TEXT 레코드 또한 개별적으로 등록되어야 합니다. 만약 서브 도메인 이름이 subdomain인 경우 이 때의 레코드 이름은 _acme-challenge.subdomain.mydomain.com 이 될 것입니다.

 

새로운 터미널 창을 열고 dig 명령어를 실행하여 TXT 레코드가 정상적으로 나타나는지 확인해봅니다.

dig TXT _acme-challenge.mydomain.com

 

결과는 대략 다음과 같습니다.

dig TXT _acme-challenge.mydomain.com

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> TXT _acme-challenge.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26750
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.mydomain.com.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.mydomain.com. 60	IN	TXT	"V9f2_ay6H-HfBAYDkco07wNjdYdxSjX-TfFxsAJS8vS"

;; Query time: 2 msec
;; SERVER: ###.###.###.1#53(###.###.###.1)
;; WHEN: Sun Dec 30 13:32:00 KST 2018
;; MSG SIZE  rcvd: 111

 

TXT 값에 상단의 _acme-challenge TXT 값과 일치하다면 이제 기존 터미널에서 엔터를 입력하여 갱신을 진행할 수 있습니다.

Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.com/privkey.pem
   Your cert will expire on 2019-03-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le