Cannot renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
Trying to renew one certificate with multiple domains:
-d gnq.forest-atlas.org -d gnq.atlas-forestier.org -d gnq.atlas-forestal.org -d gnq.forestatlas.org -d gnq.atlasforestier.org -d caf.forest-atlas.org -d caf.atlas-forestier.org -d caf.forestatlas.org -d caf.atlasforestier.org -d rca.atlas-forestier.org -d rca.atlasforestier.org -d cod.forest-atlas.org -d drc.forest-atlas.org -d rdc.atlas-forestier.org -d cod.atlas-forestier.org -d cod.forestatlas.org -d drc.forestatlas.org -d rdc.atlasforestier.org -d cod.atlasforestier.org -d cmr.forest-atlas.org -d cmr.atlas-forestier.org -d cmr.forestatlas.org -d cmr.atlasforestier.org -d cog.forest-atlas.org -d cog.atlas-forestier.org -d cog.forestatlas.org -d cog.atlasforestier.org -d gab.forest-atlas.org -d gab.atlas-forestier.org -d gab.forestatlas.org -d gab.atlasforestier.org -d atlas.mepa.gov.ge -d geo.forest-atlas.org -d geo.forestatlas.org -d lbr.forest-atlas.org -d lbr.forestatlas.org -d mdg.forest-atlas.org -d mdg.atlas-forestier.org -d mdg.forestatlas.org -d mdg.atlasforestier.org -d siap.anpngabon.org -d anpngabon.org -d www.anpngabon.org -d www.tierrasindigenas.org -d tierrasindigenas.org -d ind.restorationatlas.org -d ind.restoration-atlas.org -d india.restorationatlas.org -d india.restoration-atlas.org -d www.india.restorationatlas.org -d sidhi.restorationatlas.org -d sidhi.restoration-atlas.org -d vp.restorationatlas.org -d vp.restoration-atlas.org -d eth.restorationatlas.org -d eth.restoration-atlas.org -d cmr.amenagement-territoire.org -d cog.amenagement-territoire.org -d cog.reddregistry.org -d cog.registre-redd.org -d www.restauracaovaledoparaiba.org.br

I ran this command:
sudo certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gnq.forest-atlas.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (gnq.forest-atlas.org) from /etc/letsencrypt/renewal/gnq.forest-atlas.org.conf produced an unexpected error: urn:ietf:params:acme:error:caa :: Error finalizing order :: Rechecking CAA for "caf.forestatlas.org" and 22 more identifiers failed. Refer to sub-problems for more information. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/gnq.forest-atlas.org/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/gnq.forest-atlas.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

I checked to log file there seems to be a time out looking up th CAA

[....same error for all domain names.....]
{
          "type": "urn:ietf:params:acme:error:caa",
          "detail": "Error finalizing order :: While processing CAA for gab.forestatlas.org: DNS problem: query timed out looking up CAA for gab.forestatlas.org",
          "status": 403,
          "identifier": {
            "type": "dns",
            "value": "gab.forestatlas.org"
          }
        },
        {
          "type": "urn:ietf:params:acme:error:caa",
          "detail": "Error finalizing order :: While processing CAA for gab.atlasforestier.org: DNS problem: query timed out looking up CAA for gab.atlasforestier.org",
          "status": 403,
          "identifier": {
            "type": "dns",
            "value": "gab.atlasforestier.org"
          }
        }
      ]
    }
    2020-03-03 04:13:54,387:WARNING:certbot.renewal:Attempting to renew cert (gnq.forest-atlas.org) from /etc/letsencrypt/renewal/gnq.forest-atlas.org.conf produced an unexpected error: urn:ietf:params:acme:error:caa :: Error finalizing order :: Rechecking CAA for "cmr.amenagement-territoire.org" and 50 more identifiers failed. Refer to sub-problems for more information. Skipping.
    2020-03-03 04:13:54,388:DEBUG:certbot.renewal:Traceback was:
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
        main.renew_cert(lineage_config, plugins, renewal_candidate)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
        renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
        renewal.renew_cert(config, domains, le_client, lineage)
      File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
        new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 369, in obtain_certificate
        cert, chain = self.obtain_certificate_from_csr(csr, orderr)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 301, in obtain_certificate_from_csr
        orderr = self.acme.finalize_order(orderr, deadline)
      File "/usr/lib/python3/dist-packages/acme/client.py", line 927, in finalize_order
        return self.client.finalize_order(orderr, deadline)
      File "/usr/lib/python3/dist-packages/acme/client.py", line 754, in finalize_order
        self._post(orderr.body.finalize, wrapped_csr)
      File "/usr/lib/python3/dist-packages/acme/client.py", line 96, in _post
        return self.net.post(*args, **kwargs)
      File "/usr/lib/python3/dist-packages/acme/client.py", line 1204, in post
        return self._post_once(*args, **kwargs)
      File "/usr/lib/python3/dist-packages/acme/client.py", line 1218, in _post_once
        response = self._check_response(response, content_type=content_type)
      File "/usr/lib/python3/dist-packages/acme/client.py", line 1073, in _check_response
        raise messages.Error.from_json(jobj)
    acme.messages.Error: urn:ietf:params:acme:error:caa :: Error finalizing order :: Rechecking CAA for "cmr.amenagement-territoire.org" and 50 more identifiers failed. Refer to sub-problems for more information

    2020-03-03 04:13:54,389:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
    2020-03-03 04:13:54,390:ERROR:certbot.renewal:  /etc/letsencrypt/live/gnq.forest-atlas.org/fullchain.pem (failure)
    2020-03-03 04:13:54,390:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/bin/certbot", line 11, in <module>
        load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
        return config.func(config, plugins)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
        renewal.handle_renewal_request(config)
      File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
        len(renew_failures), len(parse_failures)))
    certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

My web server is (include version):
nginx version: nginx/1.12.2
The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.30.0

1 Like

This is the same problem as Numerous inexplicable challenge failures across disparate domains with unreproducable SERVFAILs .

There is a problem between NetSol (your DNS host) and Let’s Encrypt, and it is as of yet unresolved. There’s not much you can do about it apart from try again.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.