Cannot renew cert with bluehost dns

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
sphynx.bumblebeargames.com

I ran this command:
sudo certbot --nginx -d sphynx.bumblebeargames.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sphynx.bumblebeargames.com
Waiting for verification...
Challenge failed for domain sphynx.bumblebeargames.com
http-01 challenge for sphynx.bumblebeargames.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: sphynx.bumblebeargames.com
  Type: dns
  Detail: DNS problem: looking up CAA for sphynx.bumblebeargames.com:
  DNSSEC: Bogus: validation failure <sphynx.bumblebeargames.com. CAA
  IN>: nodata proof failed from 162.159.25.175

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal

My hosting provider, if applicable, is:
I am running this particular web server out of our office but I'm using bluehost's domain name server

I can login to a root shell on my machine (yes or no, or I don't know):
yes, it's a type A record and I can ssh with no issues

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

I have been using certbot on this machine with this config for a few years with it autorenewing with no problem.

Welcome @nmikros

Different debug tools give different results. But, this "feels" to me like a DNSSEC issue. You might try disabling DNSSEC. Rerun Certbot and see how it goes. If that works trying re-enabling DNSSEC and repeat.

There are some problems reported by dnsviz (below) but sometimes things like this don't cause problems. It is beyond my skill level to know for sure in this case My amateur guess is it is related to that "stray" DS record.

Note the problem is with the CAA record. You don't need one but Let's Encrypt must check for one to ensure it is allowed to issue a cert for your domain. So, the query must work by either returning a value or a proper "Not Found". This query is failing with "nodata proof failed" which is DNSSEC related.
https://dnsviz.net/d/sphynx.bumblebeargames.com/dnssec/

I can also reproduce using below (but not with unboundtest for benefit of other volunteers). The test below also reports a problem with AAAA query which you also don't need but your DNS servers need to reply properly to queries for them.

Looks like a certificate was successfully issued https://decoder.link/sslchecker/sphynx.bumblebeargames.com/443

image766×873 18.5 KB

Somewhat puzzling. The dnsviz report now shows Bogus for the A record so is worse than before.

But, Let's Debug HTTP test succeeds. And, they got the cert so ...

In either case, this is just DNS issues.

You should look to update this too. Ubuntu readily supports the snap install of Certbot which would get it to the current V3.0 (just released). Was not causing these failures but 0.40 is nearly 5 years old.

Once you have reliable results of this renew test you should look to upgrade

sudo certbot renew --dry-run

Thank you! Yes your suggestion worked

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.