Attempting to expand a new certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.natefi.eu

I ran this command:sudo certbot --apache -d natefi.eu -d www.natefi.eu

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/natefi.eu.conf)

It contains these names: natefi.eu

You requested these names for the new certificate: natefi.eu, www.natefi.eu.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/©ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.natefi.eu
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.natefi.eu (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for www.natefi.eu

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.natefi.eu
    Type: None
    Detail: No valid IP addresses found for www.natefi.eu

My web server is (include version):Apache version 2.4.29

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:Ubuntu Linux 18.04.1

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

1 Like
2

Hi @EsquirolDespert

there is an older check of your domain - https://check-your-website.server-daten.de/?q=natefi.eu

No ip address.

But rechecked now - both domain names are defined:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
natefi.eu A 62.99.36.129 Santa Coloma de Gramenet/Catalonia/Spain (ES) - Euskaltel S.A. No Hostname found yes 1 0
AAAA yes
www.natefi.eu A 62.99.36.129 Santa Coloma de Gramenet/Catalonia/Spain (ES) - Euskaltel S.A. No Hostname found yes 1 0
AAAA yes

So you shouldn't see that error message.

Your zone definition is inconsistent:

Fatal error: Nameservers mit different SOA Serial Numbers

Looks like you have changed your name server definitions in the last minutes.

And that's

Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: dinamic2.cdmon.net (46.16.60.159): Delegation: dinamic1.cdmon.net,dinamic2.cdmon.net,ns1.cdmon.net,ns2.cdmon.net, Zone: dinamic1.cdmon.net,dinamic2.cdmon.net,dinamic3.cdmon.net

bad.

1 Like
3

It seems some of your nameservers say www.natefi.eu is a CNAME pointing to natefi.eu, and some of your nameservers (I think it’s the same ones) say natefi.eu has no A records. The error message would be correct, depending on which nameservers Let’s Encrypt happens to query.

https://dnsviz.net/d/natefi.eu/Xos0yQ/dnssec/
https://dnsviz.net/d/www.natefi.eu/Xos0zA/dnssec/

(They also have other problems.)

1 Like
4

Thanks both for your answer.
Could be a problem to have esquiroldespert.com and natefi.eu in the same server?
I had before the same problem with esquiroldespert.com but you helped me to fix it. There were a fixed IP pointing to www.esquiroldespert.com different from current (dynamic). I applied the same solution to natefi.eu and www.natefi.eu. It seems for me it has the same configuration but I’ should be wrong because it is not working.
I have noticed also that in my ISP DNSSEC is not active, nor in esquiroldespert.com neither in natefi.eu; is it this important?

1 Like
5

Sorry, any answer about this?

6

Hi all, could you help me with this, please?

7

Well, I’ve fixed the problem. My DNS provider has two groups of DNS, one for Dynamic DNS and another for Static DNS. So it is not possible to point the domain to DNS from both groups. You have to chose. Now both domains are working properly and renewing their certificates without problems. natefi.eu pointing to static DNS and esquiroldespert.com pointing to dynamic DNS.

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.