Can't renew certificate (Challenge failed: Make sure DNS A/AAAA record(s) for that domain contain(s) the right IP address.)

I'm trying to renew two domains - but I'm getting the following error:

I don't really understand what this means. How can I ensure my DNS A/AAAA records contain the right IP address?

My domain is:

26reads.com
www.26reads.com

I ran this command and it produced this output:

$ sudo certbot certonly --force-renew -d 26reads.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 26reads.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

I did a search and it seems like this error may be due to having nginx running on the same port. So I stop nginx and try again:

$ sudo systemctl stop nginx
$ sudo certbot certonly --force-renew -d 26reads.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 26reads.com
Waiting for verification...
Challenge failed for domain 26reads.com
http-01 challenge for 26reads.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The error log at /var/log/letsencrypt/letsencrypt.log:

2022-04-03 07:03:58,509:DEBUG:certbot.main:certbot version: 0.40.0
2022-04-03 07:03:58,510:DEBUG:certbot.main:Arguments: ['-q']
2022-04-03 07:03:58,510:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint>2022-04-03 07:03:58,526:DEBUG:certbot.log:Root logging level set at 30
2022-04-03 07:03:58,527:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-04-03 07:03:58,544:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fd95>2022-04-03 07:03:58,562:INFO:certbot.renewal:Cert not yet due for renewal
2022-04-03 07:03:58,563:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2022-04-03 07:03:58,564:DEBUG:certbot.plugins.selection:Selecting plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7fd9556509d0>
2022-04-03 07:03:58,565:DEBUG:certbot.renewal:no renewal failures
2022-04-03 18:10:25,990:DEBUG:certbot.main:certbot version: 0.40.0
2022-04-03 18:10:25,991:DEBUG:certbot.main:Arguments: ['-q']
2022-04-03 18:10:25,991:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint>2022-04-03 18:10:26,009:DEBUG:certbot.log:Root logging level set at 30
2022-04-03 18:10:26,010:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-04-03 18:10:26,026:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f856>2022-04-03 18:10:26,041:INFO:certbot.renewal:Cert not yet due for renewal
2022-04-03 18:10:26,042:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2022-04-03 18:10:26,043:DEBUG:certbot.plugins.selection:Selecting plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator

My web server is (include version):

nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 20.04

My hosting provider, if applicable, is:

DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.40.0

1 Like

Cloudflare is automatically redirecting to https for you, you need to disable that for standalone http validation to work. This is because the standalone server only listens on port 80, but cloudflare has already redirected the request to https (port 443) before it reaches your server.

Change the domain SSL settings on cloudflare, try "full" but not "strict". I forget the exact names for the options!

4 Likes

Thanks. Can you point me in the right direction regarding changing the domain SSL cloudflare setting? Where would I be editing this?

2 Likes

You are using the Cloudflare CDN. With this setup you have an HTTPS connection between a client (browser, ...) and Cloudflare Edge. There is another connection (https best) between this Edge and your Origin Server (your nginx).

Cloudflare CDN manages the cert for HTTPS between the client and its edge.

You should look at using a Cloudflare Origin CA cert for your origin server. This will avoid needing to create a Let's Encrypt cert and should be easier to manage in the long run.

This is all setup in your Cloudflare account.

https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/

3 Likes

Thanks. It looks like my DigitalOcean frontend app (which is separate from the backend in my original post) automatically uses Cloudflare according to this post: How do you configure Cloudflare to support DO App Platform? | DigitalOcean.

Do I still need to renew my certbot certificate for my frontend? (26reads.com, www.26reads.com)

My backend does have a certbot certificate (api.26reads.com, www.api.26reads.com)

2 Likes

Not that I can see. Cloudflare manages its Edge certificates. I see at one time you used certbot to create similar named certs but those do not appear to be used anymore. You can see the one Cloudflare is currently using for the domains in your first post.

What cert do you use between your origin server and Cloudflare CDN edge?

3 Likes

Interesting. And are you suggesting that I use Cloudflare Origin CA for my backend too?

Also, I assume there's no problem if my frontend uses Cloudflare and my backend uses Let's Encrypt certbot, right?

1 Like

No. Your backend is not behind the Cloudflare CDN so cannot use the Cloudflare Origin CA

Correct.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.