Cant Renew Certs

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
johnwalley.com /www.johnwalley.com

I ran this command:
sudo certbot renew

It produced this output:
sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/johnwalley.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for johnawalley.com
http-01 challenge for www.johnawalley.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (johnwalley.com) from /etc/letsencrypt/renewal/johnwalley.com.conf produced an unexpected error: Failed authorization procedure. johnawalley.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for johnawalley.com, www.johnawalley.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for www.johnawalley.com. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/johnwalley.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/johnwalley.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):

The operating system my web server runs on is (include version):
Linux 4.15.0-106-generic #107-Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

What’s the IP address of your Ubuntu server?

You need to add an A record for it in your GoDaddy DNS control panel: https://www.godaddy.com/help/add-an-a-record-19238

the Ip address is 167.114.113.12

there is one.

Dig results:
dig www.johnwalley.com

; <<>> DiG 9.16.3-Debian <<>> www.johnwalley.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53107
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.johnwalley.com. IN A

;; ANSWER SECTION:
www.johnwalley.com. 3600 IN CNAME johnwalley.com.
johnwalley.com. 600 IN A 167.114.113.12

;; Query time: 180 msec
;; SERVER: 71.252.0.12#53(71.252.0.12)
;; WHEN: Tue Jun 16 22:45:49 EDT 2020
;; MSG SIZE rcvd: 77

Ah, I see. There are actually two different registered domains that Certbot is tyring to include on the certificate:

DNS:johnawalley.com
DNS:johnwalley.com
DNS:www.johnawalley.com
DNS:www.johnwalley.com

The variant of your domain which includes the ‘a’ character does not have an A record.

You should either add the A record to it, or tell Certbot not to include that domain.

1 Like

where is it getting the johnawalley info from? Where is certbot picking that up?

When deciding which names to renew, Certbot just copies them from the previous/current certificate.

If you take a look at the output of this command, you can see a list of each certificate and what names are included:

certbot certificates

If you want to redefine what the certificates are, you can do something like:

certbot renew --cert-name johnwalley.com -d johnwalley.com -d www.johnwalley.com

and only those two names will be requested on the renewed certificate (and in the future as well).

I never did figure out where the a was coming from. I ended up deleting my certs and recreating. That did the trick. I noticed when recreating that the “a” came up as an option again. I’m not sure where thats coming from.

Thanks for your help. All is good now.

You can find it with:
apachectl -S

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.