The other day, I came across a frustrating issue while attempting to renew the Let’s Encrypt SSL certificate on my haproxy load balancer.
The error in question was:
“Incorrect validation certificate for tls-sni-01 challenge.”
I checked my DNS records and made sure that all of my domains and subdomains were pointing to my haproxy load balancer. Each domain had an A record that pointed to my load balancer, so that wasn’t the issue.
The issue seemed to be with the “–tls-sni-01-port=8888” command that I was using.
I was only able to renew my certificate after I modified the certbot command to use a http challenge instead.
certbot renew --force-renewal --tls-sni-01-port=8888
certbot renew --preferred-challenges http
This immediately fixed my issue. As to why this command suddenly started to fail – I am not entirely sure. I read elsewhere that TLS-SNI has been disabled for security purposes, so maybe that was the issue.
Hopefully, this helps somebody else out.