Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
ccs.ornl.gov
I ran this command:
certbot certonly --webroot -w /var/www/html -d myproxy.ccs.ornl.gov -d myproxy1.ccs.ornl.gov
It produced this output:
[root@myproxy1 ~]# certbot certonly --webroot -w /var/www/html -d myproxy.ccs.ornl.gov -d myproxy1.ccs.ornl.gov
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for myproxy.ccs.ornl.gov
http-01 challenge for myproxy1.ccs.ornl.gov
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Challenge failed for domain myproxy.ccs.ornl.gov
Challenge failed for domain myproxy1.ccs.ornl.gov
http-01 challenge for myproxy.ccs.ornl.gov
http-01 challenge for myproxy1.ccs.ornl.gov
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: myproxy.ccs.ornl.gov
Type: dns
Detail: DNS problem: SERVFAIL looking up A for myproxy.ccs.ornl.gov- the domain’s nameservers may be malfunctioning
Domain: myproxy1.ccs.ornl.gov
Type: dns
Detail: DNS problem: SERVFAIL looking up CAA for
myproxy1.ccs.ornl.gov - the domain’s nameservers may be
malfunctioning
My web server is (include version):
Apache HTTP Server
Name : httpd
Arch : x86_64
Version : 2.4.6
Release : 90.el7
The operating system my web server runs on is (include version):
NAME=“Red Hat Enterprise Linux Server”
VERSION=“7.7 (Maipo)”
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.36.0
This problem started in the April time frame (when multi endpoint validation was implemented, or at least coincidentally in that time frame). Validation/issuing became far more hit or miss at that time. At that time we were using acme.sh and dns txt record validation method. This no longer works at all, even when using the staging endpoint. As a result, I’ve switched to certbot as I’m banging my head against a wall and we are close to expiration.
As you can see we get SERVFAIL errors due to CAA records. At least this is the most frequent error. Somtimes it’s for A record. Sometimes we get: Detail: No valid IP addresses found for myproxy1.ccs.ornl.gov. And way every once in a while it will actually work, against staging only (using the command above).
myproxy.ccs.ornl.gov is a cname to myproxy1.ccs.ornl.gov (the actual web server). We are trying to issue a cert with cn=myproxy.ccs.ornl.gov with myproxy1.ccs.ornl.gov as a dns alternate name. Again, prior to April time frame this worked.
Today I discoverd, if I leave off the ‘myproxy1.ccs.ornl.gov’ I am able to issue a cert (staging and prod) for just ‘myproxy.ccs.ornl.gov’. However, I am unable to issue a cert for only ‘myproxy1.ccs.ornl.gov’ or for both in one cert no matter the order.
Errors have been very inconsistent. Any help is appreciated.
