Auto-renewal not working since change of domain registrar

effisk · March 19, 2018, 6:14pm

Hi all,

my domain is www.whichseats.com
I have been using let’s encrypt on that domain for two years now; the certificate is renewed using https://certbot.eff.org/. I recently moved my domain name (whichseats.com) from godaddy to a new registrar. My DNS and DNS zones therefore changed. The server and IP for www.whichseats.com however did not change.

Since that registrar change, the cron job that runs the following command returns an error and I am unable to renew my certificate:
certbot renew --pre-hook “service apache2 stop” --post-hook “service apache2 start”

It produced this output:

The following errors were reported by the server:

Domain: whichseats.com
Type: connection
Detail: Fetching
https://www.whichseats.com/.well-known/acme-challenge/_DydAF3aDQujQCy-Vqx5dS5C4yb7WFcC2UOKTda8Qfk:
Connection refused

Domain: www.whichseats.com
Type: connection
Detail: Fetching
http://www.whichseats.com/.well-known/acme-challenge/mgHCUjR4x86UQi1d5tRqXgtoXwTXDMftQ5ox69-e4LA:
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
The following errors were reported by the server:

Domain: whichseats.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
6ecb8490817e1d588eff3060fc64a16c.865eb9117f0f5bea8591448526d8766a.acme.invalid
from 213.186.33.5:443. Received 4 certificate(s), first certificate
had names “mailconfig.ovh.net, www.mailconfig.ovh.net”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

I verified my DNS entries which all seem correct. I don’t know what the issue could be.
I initially only issued a certificate for the subdomain www.whichseats.com as I don’t need a certificate for whichseats.com so I’m not sure why the error returns a line about whichseats.com being in error.

Can anyone help?

The operating system my web server runs on is Debian Linux 8
I can login to a root shell on my machine.
I’m using a control panel to manage my site (ssh or webmin)

Thank you

schoen · March 19, 2018, 7:41pm

Is that intentional? Do you mean for them to now be hosted separately on separate machines?

effisk · March 19, 2018, 8:29pm

I am using a service from the registrar that redirects whichseats.com to www.whichseats.com. The DNS and DNS zones are also managed at the registrar’s level.
Which explains why the IPs for whichseats.com and www.whichseats.com are different.

So yes it is somewhat intentional.

schoen · March 19, 2018, 8:36pm

So, you’re running Certbot on the machine that www.whichseats.com is pointed at, right?

Could you post the renewal configuration file from /etc/letsencrypt/renewal for this certificate?

effisk · March 19, 2018, 9:02pm

That is correct.

I don’t have access to the server right now as I am on my mobile. I will only be able to post this information tomorrow morning CET time.

Thank you for your help.

effisk · March 20, 2018, 8:06am

Here’s the conf file:

renew_before_expiry = 30 days

version = 0.10.2
archive_dir = /etc/letsencrypt/archive/www.whichseats.com
cert = /etc/letsencrypt/live/www.whichseats.com/cert.pem
privkey = /etc/letsencrypt/live/www.whichseats.com/privkey.pem
chain = /etc/letsencrypt/live/www.whichseats.com/chain.pem
fullchain = /etc/letsencrypt/live/www.whichseats.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 8ec27e477c57b14395a65ce3af114443
authenticator = webroot
installer = None
post_hook = service apache2 start
pre_hook = service apache2 stop
[[webroot_map]]
whichseats.com = /tmp/letsencrypt-auto
www.whichseats.com = /tmp/letsencrypt-auto

effisk · March 20, 2018, 9:59am

It appears that I did not have the full picture. Our developer was trying to renew the certificate for whichseats.com at the same time, which produced the error.

I changed the A record for whichseats.com and made it point to the server. We are now managing the redirection from whichseats.com to www.whichseats.com at the server level. We were able to renew the certificate.

Thank you again for your help.

system · April 19, 2018, 9:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.