Hi, I'm trying to renew my certs using the following command, but it doesn't allow me to do so showing this error. How could I fix it? Sorry I'm not an expert here.
Command: sudo certbot renew --dry-run
Error: Attempting to renew cert (superenvios.pe-0001) from /etc/letsencrypt/renewal/superenvios.pe-0001.conf produced an unexpected error: Failed authorization procedure. app.superenvios.pe (http-01): urn:ietf:params:acme:error:caa :: CAA record for app.superenvios.pe prevents issuance. Skipping
It is because you have a CAA record in your DNS:
0 issue "superenvios.pe"
You will need to allow letsencrypt.org
Yes, for the apex name but you also have a CAA for the app.superenvios.pe name
Got it, I've added the following records. This is what I'm trying to do:
I'm still getting the same error. Do you know if after creating the records it take some time to refresh? this is the entire log I'm getting now after creating the 3 CAA records.
Thanks a lot for the help!
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/superenvios.pe-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/superenvios.pe-0001/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/superenvios.pe.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for archivo.superenvios.pe
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (superenvios.pe) from /etc/letsencrypt/renewal/superenvios.pe.conf produced an unexpected error: Failed authorization procedure. archivo.superenvios.pe (http-01): urn:ietf:params:acme:error:caa :: CAA record for archivo.superenvios.pe prevents issuance. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/superenvios.pe/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
The following certs were successfully renewed:
/etc/letsencrypt/live/superenvios.pe-0001/fullchain.pem (success)
The following certs could not be renewed:
/etc/letsencrypt/live/superenvios.pe/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: archivo.superenvios.pe
Type: None
Detail: CAA record for archivo.superenvios.pe prevents issuance
Must be because I can see the correct CAA records for all 3 domain names from your authoritative DNS server. Waiting for ttl to expire in one hour (3600s) should resolve that.
But, you seem to have two conflicting certificate renewals - one using standalone and one using nginx authenticator. Once the CAA issue resolves you should post a new help topic for that.
@mvergaray It also looks like you have more DNS problems. I am not expert enough with DNS to help you but perhaps others like @osiris or @rg305 will help. I refer you and them to this link.
https://dnsviz.net/d/superenvios.pe/dnssec/
Where did you get those instructions?
You should only need 1 CAA record [for the entire domain].
I see @rg305 , so is this record the only one I should have?
Type: CAA
Hostname: superenvios.pe
Value: letsencrypt.org
TTL: 3600
I added the others as I wasn't sure when I was told "I also have CAA for the app.superenvios.pe name"
Thanks!
Yes, that one alone will do the job nicely.
That was true.
But the fix is to delete those other CAA records.
Whomever instructed you to create those other records created the problem.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
