Cant Renew Certs

jwalley340 · June 17, 2020, 2:56am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
johnwalley.com /www.johnwalley.com

I ran this command:
sudo certbot renew

It produced this output:
sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/johnwalley.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for johnawalley.com
http-01 challenge for www.johnawalley.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (johnwalley.com) from /etc/letsencrypt/renewal/johnwalley.com.conf produced an unexpected error: Failed authorization procedure. johnawalley.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for johnawalley.com, www.johnawalley.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for www.johnawalley.com. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/johnwalley.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/johnwalley.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: johnawalley.com
Type: None
Detail: No valid IP addresses found for johnawalley.com

Domain: www.johnawalley.com
Type: None
Detail: No valid IP addresses found for www.johnawalley.com

My web server is (include version):

The operating system my web server runs on is (include version):
Linux 4.15.0-106-generic #107-Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

_az · June 17, 2020, 3:02am

What’s the IP address of your Ubuntu server?

You need to add an A record for it in your GoDaddy DNS control panel: https://www.godaddy.com/help/add-an-a-record-19238

jwalley340 · June 17, 2020, 3:05am

the Ip address is 167.114.113.12

jwalley340 · June 17, 2020, 3:08am

there is one.

jwalley340 · June 17, 2020, 3:11am

Dig results:
dig www.johnwalley.com

; <<>> DiG 9.16.3-Debian <<>> www.johnwalley.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53107
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.johnwalley.com. IN A

;; ANSWER SECTION:
www.johnwalley.com. 3600 IN CNAME johnwalley.com.
johnwalley.com. 600 IN A 167.114.113.12

;; Query time: 180 msec
;; SERVER: 71.252.0.12#53(71.252.0.12)
;; WHEN: Tue Jun 16 22:45:49 EDT 2020
;; MSG SIZE rcvd: 77

_az · June 17, 2020, 3:24am

Ah, I see. There are actually two different registered domains that Certbot is tyring to include on the certificate:

DNS:johnawalley.com
DNS:johnwalley.com
DNS:www.johnawalley.com
DNS:www.johnwalley.com

The variant of your domain which includes the ‘a’ character does not have an A record.

You should either add the A record to it, or tell Certbot not to include that domain.

jwalley340 · June 17, 2020, 3:31am

where is it getting the johnawalley info from? Where is certbot picking that up?

_az · June 17, 2020, 3:35am

When deciding which names to renew, Certbot just copies them from the previous/current certificate.

If you take a look at the output of this command, you can see a list of each certificate and what names are included:

certbot certificates

If you want to redefine what the certificates are, you can do something like:

certbot renew --cert-name johnwalley.com -d johnwalley.com -d www.johnwalley.com

and only those two names will be requested on the renewed certificate (and in the future as well).

jwalley340 · June 17, 2020, 3:57am

I never did figure out where the a was coming from. I ended up deleting my certs and recreating. That did the trick. I noticed when recreating that the “a” came up as an option again. I’m not sure where thats coming from.

Thanks for your help. All is good now.

rg305 · June 17, 2020, 5:59am

You can find it with:
apachectl -S

system · July 17, 2020, 5:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.