Incorrect validation certificate for tls-sni-01 challenge.

The other day, I came across a frustrating issue while attempting to renew the Let’s Encrypt SSL certificate on my haproxy load balancer.

The error in question was:

“Incorrect validation certificate for tls-sni-01 challenge.”

I checked my DNS records and made sure that all of my domains and subdomains were pointing to my haproxy load balancer. Each domain had an A record that pointed to my load balancer, so that wasn’t the issue.

The issue seemed to be with the “–tls-sni-01-port=8888” command that I was using.

I was only able to renew my certificate after I modified the certbot command to use a http challenge instead.

I changed:

certbot renew --force-renewal --tls-sni-01-port=8888

to:

certbot renew --preferred-challenges http

This immediately fixed my issue. As to why this command suddenly started to fail – I am not entirely sure. I read elsewhere that TLS-SNI has been disabled for security purposes, so maybe that was the issue.

Hopefully, this helps somebody else out.