Cant renew certificate - DNS Check issue

Hello, I have an issue renewing my certificate. It seems the root cause is the inconsistency of my Zone records and delegations, see link below. Those are different domains but point to same server. My domain provider refuses to make this consistent and points to letsencrypt because it was working before

My domain is: prototype.webswing.org

I ran this command: sudo certbot renew --dry-run

It produced this output:

Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for prototype.webswing.org
Waiting for verification...
Challenge failed for domain prototype.webswing.org
http-01 challenge for prototype.webswing.org
Cleaning up challenges
Attempting to renew cert (prototype.webswing.org) from /etc/letsencrypt/renewal/prototype.webswing.org.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/prototype.webswing.org/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/prototype.webswing.org/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: prototype.webswing.org
    Type: connection
    Detail: Fetching
    http://prototype.webswing.org/.well-known/acme-challenge/JCUfAWqUnWDbRes4OZErSzi40Vzf0fYedbgKMxxJvHk:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): using standalone for the renewal

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

Additional info:

Could you please assist? Thank you!

1 Like

Hi @azelman

that's wrong. Your Grade X is bad, you should fix that. But that's not the reason why your validation fails.

See the #comments - part:

Good: All checks /.well-known/acme-challenge/random-filename without redirects answer with the expected http status 404 - Not Found. Creating a Letsencrypt certificate via http-01 challenge should work. If it doesn't work: Check your vHost configuration (apachectl -S, httpd -S, nginx -T). Every combination of port and ServerName / ServerAlias (Apache) or Server (Nginx) must be unique. Merge duplicated entries in one vHost.

Why do you use standalone if you have a running webserver?

Use your running webserver with webroot.

Looks like you run Certbot on the wrong machine. Or you have a proxy or something else, so your internal port 80 isn't used.

1 Like

I use docker-compose with custom web application and apache httpd. For certificate renewal I always put these containers down so port 80 is free. Do you think that using standalone is not OK?

1 Like

In theory, it's ok.

Real: Standalone is hard to debug.

Error getting validation data

is an unspecific error, normally, standalone should always work. Firewall? Routing?

Use the --debug-challenges option ( see https://certbot.eff.org/docs/using.html ), then Certbot waits, then try to see, if you can load the validation file with your browser.

1 Like

I tried the --debug-challenges but it does not wait for my input, seems like a bug.
Tomorrow I will try the webserver with webroot method and let you know if I can move forward.

Thank you for assistance.

2 Likes

Hello @JuergenAuer

I have used a webroot method with certbot docker image and the certificate is now renewed.
There must be something wrong with standalone mode in my environment because it failed even in the certbot docker container, and also the --debug-challenges flag I mentioned earlier seems odd.

Nevertheless I updated the docker-compose.yml - included certbot with automatic webroot renewal (zero downtime) and all should be fine now.

2 Likes

Are you running certbot non-interactively (for instance: in a script)?

@certbot-devs

This seems an odd batch of things. Just wanted to bring awareness.

1 Like

--debug-challenges doesn't work with renew, unfortunately.

You can try something similar without renew:

certbot certonly --standalone -d prototype.webswing.org --debug-challenges --dry-run

and try the request manually then.

2 Likes