Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
Trying to renew one certificate with multiple domains:
-d gnq.forest-atlas.org -d gnq.atlas-forestier.org -d gnq.atlas-forestal.org -d gnq.forestatlas.org -d gnq.atlasforestier.org -d caf.forest-atlas.org -d caf.atlas-forestier.org -d caf.forestatlas.org -d caf.atlasforestier.org -d rca.atlas-forestier.org -d rca.atlasforestier.org -d cod.forest-atlas.org -d drc.forest-atlas.org -d rdc.atlas-forestier.org -d cod.atlas-forestier.org -d cod.forestatlas.org -d drc.forestatlas.org -d rdc.atlasforestier.org -d cod.atlasforestier.org -d cmr.forest-atlas.org -d cmr.atlas-forestier.org -d cmr.forestatlas.org -d cmr.atlasforestier.org -d cog.forest-atlas.org -d cog.atlas-forestier.org -d cog.forestatlas.org -d cog.atlasforestier.org -d gab.forest-atlas.org -d gab.atlas-forestier.org -d gab.forestatlas.org -d gab.atlasforestier.org -d atlas.mepa.gov.ge -d geo.forest-atlas.org -d geo.forestatlas.org -d lbr.forest-atlas.org -d lbr.forestatlas.org -d mdg.forest-atlas.org -d mdg.atlas-forestier.org -d mdg.forestatlas.org -d mdg.atlasforestier.org -d siap.anpngabon.org -d anpngabon.org -d www.anpngabon.org -d www.tierrasindigenas.org -d tierrasindigenas.org -d ind.restorationatlas.org -d ind.restoration-atlas.org -d india.restorationatlas.org -d india.restoration-atlas.org -d www.india.restorationatlas.org -d sidhi.restorationatlas.org -d sidhi.restoration-atlas.org -d vp.restorationatlas.org -d vp.restoration-atlas.org -d eth.restorationatlas.org -d eth.restoration-atlas.org -d cmr.amenagement-territoire.org -d cog.amenagement-territoire.org -d cog.reddregistry.org -d cog.registre-redd.org -d www.restauracaovaledoparaiba.org.br
I ran this command:
sudo certbot renew
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gnq.forest-atlas.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (gnq.forest-atlas.org) from /etc/letsencrypt/renewal/gnq.forest-atlas.org.conf produced an unexpected error: urn:ietf:params:acme:error:caa :: Error finalizing order :: Rechecking CAA for "caf.forestatlas.org" and 22 more identifiers failed. Refer to sub-problems for more information. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gnq.forest-atlas.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gnq.forest-atlas.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
I checked to log file there seems to be a time out looking up th CAA
[....same error for all domain names.....]
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for gab.forestatlas.org: DNS problem: query timed out looking up CAA for gab.forestatlas.org",
"status": 403,
"identifier": {
"type": "dns",
"value": "gab.forestatlas.org"
}
},
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for gab.atlasforestier.org: DNS problem: query timed out looking up CAA for gab.atlasforestier.org",
"status": 403,
"identifier": {
"type": "dns",
"value": "gab.atlasforestier.org"
}
}
]
}
2020-03-03 04:13:54,387:WARNING:certbot.renewal:Attempting to renew cert (gnq.forest-atlas.org) from /etc/letsencrypt/renewal/gnq.forest-atlas.org.conf produced an unexpected error: urn:ietf:params:acme:error:caa :: Error finalizing order :: Rechecking CAA for "cmr.amenagement-territoire.org" and 50 more identifiers failed. Refer to sub-problems for more information. Skipping.
2020-03-03 04:13:54,388:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 369, in obtain_certificate
cert, chain = self.obtain_certificate_from_csr(csr, orderr)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 301, in obtain_certificate_from_csr
orderr = self.acme.finalize_order(orderr, deadline)
File "/usr/lib/python3/dist-packages/acme/client.py", line 927, in finalize_order
return self.client.finalize_order(orderr, deadline)
File "/usr/lib/python3/dist-packages/acme/client.py", line 754, in finalize_order
self._post(orderr.body.finalize, wrapped_csr)
File "/usr/lib/python3/dist-packages/acme/client.py", line 96, in _post
return self.net.post(*args, **kwargs)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1204, in post
return self._post_once(*args, **kwargs)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1218, in _post_once
response = self._check_response(response, content_type=content_type)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1073, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:caa :: Error finalizing order :: Rechecking CAA for "cmr.amenagement-territoire.org" and 50 more identifiers failed. Refer to sub-problems for more information
2020-03-03 04:13:54,389:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-03-03 04:13:54,390:ERROR:certbot.renewal: /etc/letsencrypt/live/gnq.forest-atlas.org/fullchain.pem (failure)
2020-03-03 04:13:54,390:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
My web server is (include version):
nginx version: nginx/1.12.2
The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot):
certbot 0.30.0