Hello everyone,
renewal of my certificate stopped working (see below).
I am afraid i am no network guru and after reading serveral threads i still don't know what to do.
The certificate is for my self-hosted server, i have a static IP-Adress from my internet provider.
Thanks in advance
[root@b2b-130-180-72-186 ]# dig caa unitymedia.biz @8.8.8.8
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> caa unitymedia.biz @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58737
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;unitymedia.biz. IN CAA;; ANSWER SECTION:
unitymedia.biz. 21599 IN CAA 0 iodef "mailto:pki@libertyglobal.com"
unitymedia.biz. 21599 IN CAA 0 issuewild ";"
unitymedia.biz. 21599 IN CAA 0 issue "globalsign.com"
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: b2b-130-180-72-186.unitymedia.biz
I ran this command: certbot renew --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/b2b-130-180-72-186.unitymedia.biz.conf
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for b2b-130-180-72-186.unitymedia.biz
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (b2b-130-180-72-186.unitymedia.biz) from /etc/letsencrypt/renewal/b2b-130-180-72-186.unitymedia.biz.conf produced an unexpected error: Failed authorization procedure. b2b-130-180-72-186.unitymedia.biz (tls-sni-01): urn:ietf:params:acme:error:caa :: CAA record for b2b-130-180-72-186.unitymedia.biz prevents issuance. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/b2b-130-180-72-186.unitymedia.biz/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/b2b-130-180-72-186.unitymedia.biz/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: b2b-130-180-72-186.unitymedia.biz
Type: None
Detail: CAA record for b2b-130-180-72-186.unitymedia.biz prevents
issuance
My web server is (include version): Apache
The operating system my web server runs on is (include version): Centos7
My hosting provider, if applicable, is: self hosting
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
