Let's encrypt!

[ocehb]

Если официальный lestencrypt'овский клиент не хочет обновлять сертификат
и падает с невнятной диагностикой

Domain: host.domain
Type:   unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested c487b16848f81fd18948802e493f858e.
fa08f116e60cfe88bb05a96cb684c921.acme.invalid from <ip>:443. Received 2 certificate(s), first certificate had names "<names...>"

и в letsencrypt.log типа

2017-11-02 01:05:27,150:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/certbot/renewal.py", line 425, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 743, in renew_cert
    _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 80, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3.6/site-packages/certbot/renewal.py", line 297, in renew_cert
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/usr/lib/python3.6/site-packages/certbot/client.py", line 318, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)

то, если у вас стоит SELinux, следует сделать (если у вас nginx, для apache аналогично):

# chcon --reference=/var/log/nginx/ssl_error.log /var/lib/letsencrypt/error.log
# chcon --reference=/var/log/nginx/ssl_access.log /var/lib/letsencrypt/access.log

А так — работает нормально.