ASUSTOR & LetsEncrypt Renewal Failure

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dump.gregkoss.com

I ran this command: Renewal feature on ASUSTOR

It produced this output: "Unable to apply settings. Please try again. (Ref. 5401)" which ASUSTOR tells me is too many requests for renewal.

My web server is (include version): ASUSTOR Apache Version: 2.4.54.r16

The operating system my web server runs on is (include version): ASUSTOR ADM Version: 4.1.0.RLQ1

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): No - All actions are done through the Settings UI.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Unknown - ASUSTOR SW has all the current updates.

The CERT installed correctly the first time and was used successfully until it's EOL. The Renewal function failed and now the CERT is EOL and I can't renew it or get a new one for this domain.

Please advise the next course of action.

Thanks

1 Like

Hi @gregkoss, and welcome to the LE community forum :slight_smile:

I don't have any experience with ASUSTOR.
So, take this with a grain of salt:

  • Are you using the latest version of their SW?
  • Have you tried deleting the existing cert (possible reboot required) and then requesting a new one?
2 Likes

Hi Rudy,

I'm running all the current SW, ADM (OS), and the Apps like Apache, etc.

I did try to delete the LetsEncrypt CERT and it deleted. Then I rebooted and tried to get a new one. No joy.

ASUSTOR support tells me its a LetsEncrypt problem, which is why I made this request.

What can you tell me about your records for dump.gregkoss.com? Do you see it as valid at your end? How many renewal requests have you seen?

Thanks,
-G

1 Like

crt.sh | dump.gregkoss.com
I see two certs issued today:

  • one from LE
  • one from ZeroSSL

That said, Let's Debug shows CAA issues:
Let's Debug (letsdebug.net)

2 Likes

Rudy,

I just created the ZeroSSL one tonight and installed it. It works perfectly. But I need to manually update it which is not desirable.

I'd like to get your service working.

Thanks

Greg Koss

1 Like

was SERVFAIL accepted state for issue in CA/B br and LE being strict here? I assume that Sevfail was there when zerossl signed the cert

EDIT: yes it is

CAs are permitted to treat a record lookup failure as permission to issue if:
• the failure is outside the CA’s infrastructure; and
• the lookup has been retried at least once; and
• the domain’s zone does not have a DNSSEC validation chain to the ICANN root.
3 Likes

You might check here for some help:

LE discuss CAA lookup errors in their topic here

@gregkoss I didn't get SERVFAIL from a couple tests just now (Let's Debug or unboundtest) but you should look at the errors and warnings at dnsviz.net. I am not expert enough at DNS to say whether the warning about the stray NS record could cause the SERVFAIL. Maybe @rg305 or other DNS expert can say.

4 Likes

Here is a list of issued certificates crt.sh | dump.gregkoss.com, the latest being 2022-11-04 by C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA.
Also on 2022-11-04 Let's Encrypt issued certificates.

1 Like

The active nameservers do not match your NS records. Please correct the NS records.

1 Like

Hi,

It looks like LE issued the CERT, but the Asus didn't install it. Clearly I have an Asus problem. But Zerossl is working so I'm good.

Thanks,
-G

1 Like

And using this tool https://check-your-website.server-daten.de/
dump.gregkoss.com - Make your website better - DNS, redirects, mixed content, certificates

2 Likes