Cert not renewing, after public IP change - maybe DNS problem?

Help
1

Hi
My domain is: mail.artisys.cz
My alt domains are: www.artisys.cz, artisys.cz, mail.artisys.aero, www.artisys.aero, artisys.aero, mail.artisys.eu, www.artisys.eu, artisys.eu, www.aerospace.cz
I use webroot autenticate method.

I had IP address 149.62.146.102 for all these domains until end of last year and certificate renewal was working properly.

I have new IP address 83.148.60.102 now. No other changes in my system.
When I try to renew certificate I have following problem:
GET requests are coming for all my domains except "artisys.aero".

I updated acme.sh, this changed the IP source of the GET requests, but did not solve the problem.
When I remove the "artisys.aero" domain from alt domain list I get new certificate but without the "artisys.aero" domain.

dig @192.58.128.30 artisys.aero
aero.                   172800  IN      NS      a0.nic.aero.

dig @a0.nic.aero artisys.aero
artisys.aero.           3600    IN      NS      ns2.ai-tech.cz.
artisys.aero.           3600    IN      NS      ns.ai-tech.cz.

The "ns.ai-tech.cz" is authority server for all these domains:
dig @ns.ai-tech.cz <all_domains>
mail.artisys.cz.        3600    IN      A       83.148.60.102
www.artisys.cz.         3600    IN      CNAME   mail.artisys.cz.
artisys.cz.             3600    IN      A       83.148.60.102
mail.artisys.aero.      3600    IN      CNAME   mail.artisys.cz.
www.artisys.aero.       3600    IN      CNAME   mail.artisys.cz.
artisys.aero.           3600    IN      A       83.146.60.102
mail.artisys.eu.        3600    IN      CNAME   mail.artisys.cz.
www.artisys.eu.         3600    IN      CNAME   mail.artisys.cz.
artisys.eu.             3600    IN      A       83.148.60.102
www.aerospace.cz.       3600    IN      CNAME   mail.artisys.cz.

Part of my nginx configuration:

       server {
                listen 80;
                server_name www.artisys.cz artisys.cz www.artisys.aero artisys.aero www.artisys.eu artisys.eu www.aerospace.cz;

                location /.well-known {
                        root /var/www/localhost/htdocs;
                }

                location / {
                        return 301 https://www.artisys.aero$request_uri;
                }
        }

        server {
                listen 80;
                server_name mail.artisys.cz mail.artisys.aero mail.artisys.eu;

                location /.well-known {
                        root /var/www/localhost/htdocs;
                }

                location / {
                        return 301 https://mail.artisys.cz$request_uri;
                }
        }

acme.sh command:
.acme.sh/acme.sh --cron --cert-home /home/letsencrypt/cert/

acme.sh logs:
2024-11-21 - last successful renew (with old acme.sh):

[Čt lis 21 03:01:10 CET 2024] ===Starting cron===
[Čt lis 21 03:01:10 CET 2024] Renew: 'mail.artisys.cz'
[Čt lis 21 03:01:12 CET 2024] Multi domain='DNS:mail.artisys.cz,DNS:www.artisys.cz,DNS:artisys.cz,DNS:mail.artisys.aero,DNS:www.artisys.aero,DNS:artisys.aero,DNS:mail
.artisys.eu,DNS:www.artisys.eu,DNS:artisys.eu,DNS:www.aerospace.cz'
[Čt lis 21 03:01:12 CET 2024] Getting domain auth token for each domain
[Čt lis 21 03:01:24 CET 2024] Getting webroot for domain='mail.artisys.cz'
[Čt lis 21 03:01:24 CET 2024] Getting webroot for domain='www.artisys.cz'
[Čt lis 21 03:01:24 CET 2024] Getting webroot for domain='artisys.cz'
[Čt lis 21 03:01:24 CET 2024] Getting webroot for domain='mail.artisys.aero'
[Čt lis 21 03:01:25 CET 2024] Getting webroot for domain='www.artisys.aero'
[Čt lis 21 03:01:25 CET 2024] Getting webroot for domain='artisys.aero'
[Čt lis 21 03:01:25 CET 2024] Getting webroot for domain='mail.artisys.eu'
[Čt lis 21 03:01:25 CET 2024] Getting webroot for domain='www.artisys.eu'
[Čt lis 21 03:01:25 CET 2024] Getting webroot for domain='artisys.eu'
[Čt lis 21 03:01:25 CET 2024] Getting webroot for domain='www.aerospace.cz'
[Čt lis 21 03:01:26 CET 2024] Verifying: mail.artisys.cz
[Čt lis 21 03:01:30 CET 2024] Pending
[Čt lis 21 03:01:33 CET 2024] Pending
[Čt lis 21 03:01:36 CET 2024] Success
[Čt lis 21 03:01:36 CET 2024] Verifying: www.artisys.cz
[Čt lis 21 03:01:40 CET 2024] Pending
[Čt lis 21 03:01:43 CET 2024] Pending
[Čt lis 21 03:01:46 CET 2024] Pending
[Čt lis 21 03:01:49 CET 2024] Pending
[Čt lis 21 03:01:52 CET 2024] Pending
[Čt lis 21 03:01:55 CET 2024] Pending
[Čt lis 21 03:01:58 CET 2024] Success
[Čt lis 21 03:01:58 CET 2024] Verifying: artisys.cz
[Čt lis 21 03:02:02 CET 2024] Pending
[Čt lis 21 03:02:05 CET 2024] Pending
[Čt lis 21 03:02:08 CET 2024] Success
[Čt lis 21 03:02:08 CET 2024] Verifying: mail.artisys.aero
[Čt lis 21 03:02:12 CET 2024] Pending
[Čt lis 21 03:02:15 CET 2024] Pending
[Čt lis 21 03:02:18 CET 2024] Pending
[Čt lis 21 03:02:21 CET 2024] Pending
[Čt lis 21 03:02:24 CET 2024] Pending
[Čt lis 21 03:02:27 CET 2024] Success
[Čt lis 21 03:02:27 CET 2024] Verifying: www.artisys.aero
[Čt lis 21 03:02:31 CET 2024] Pending
[Čt lis 21 03:02:34 CET 2024] Pending
[Čt lis 21 03:02:37 CET 2024] Pending
[Čt lis 21 03:02:40 CET 2024] Pending
[Čt lis 21 03:02:43 CET 2024] Pending
[Čt lis 21 03:02:46 CET 2024] Success
[Čt lis 21 03:02:46 CET 2024] Verifying: artisys.aero
[Čt lis 21 03:02:50 CET 2024] Pending
[Čt lis 21 03:02:53 CET 2024] Success
[Čt lis 21 03:02:53 CET 2024] Verifying: mail.artisys.eu
[Čt lis 21 03:02:57 CET 2024] Pending
[Čt lis 21 03:03:00 CET 2024] Pending
[Čt lis 21 03:03:03 CET 2024] Pending
[Čt lis 21 03:03:06 CET 2024] Pending
[Čt lis 21 03:03:09 CET 2024] Success
[Čt lis 21 03:03:09 CET 2024] Verifying: www.artisys.eu
[Čt lis 21 03:03:13 CET 2024] Pending
[Čt lis 21 03:03:16 CET 2024] Success
[Čt lis 21 03:03:16 CET 2024] Verifying: artisys.eu
[Čt lis 21 03:03:20 CET 2024] Pending
[Čt lis 21 03:03:23 CET 2024] Success
[Čt lis 21 03:03:23 CET 2024] Verifying: www.aerospace.cz
[Čt lis 21 03:03:27 CET 2024] Pending
[Čt lis 21 03:03:30 CET 2024] Pending
[Čt lis 21 03:03:33 CET 2024] Pending
[Čt lis 21 03:03:36 CET 2024] Pending
[Čt lis 21 03:03:39 CET 2024] Pending
[Čt lis 21 03:03:42 CET 2024] Success
[Čt lis 21 03:03:42 CET 2024] Verify finished, start to sign.
[Čt lis 21 03:03:42 CET 2024] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/58256741/325187351737
[Čt lis 21 03:03:44 CET 2024] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/030a52b88020d25392b48a6243cde83748bc
[Čt lis 21 03:03:45 CET 2024] Cert success.
-----BEGIN CERTIFICATE-----
    ....
-----END CERTIFICATE-----
[Čt lis 21 03:03:45 CET 2024] Your cert is in  /home/letsencrypt/cert//mail.artisys.cz/mail.artisys.cz.cer 
[Čt lis 21 03:03:45 CET 2024] Your cert key is in  /home/letsencrypt/cert//mail.artisys.cz/mail.artisys.cz.key 
[Čt lis 21 03:03:45 CET 2024] The intermediate CA cert is in  /home/letsencrypt/cert//mail.artisys.cz/ca.cer 
[Čt lis 21 03:03:45 CET 2024] And the full chain certs is there:  /home/letsencrypt/cert//mail.artisys.cz/fullchain.cer 
[Čt lis 21 03:03:46 CET 2024] ===End cron===

2025-01-23 - first unsuccessful renew (with old acme.sh):

[Čt led 23 03:06:11 CET 2025] ===Starting cron===
[Čt led 23 03:06:11 CET 2025] Renew: 'mail.artisys.cz'
[Čt led 23 03:06:13 CET 2025] Multi domain='DNS:mail.artisys.cz,DNS:www.artisys.cz,DNS:artisys.cz,DNS:mail.artisys.aero,DNS:www.artisys.aero,DNS:artisys.aero,DNS:mail.artisys.eu,DNS:www.artisys.eu,DNS:artisys.eu,DNS:www.aerospace.cz'
[Čt led 23 03:06:13 CET 2025] Getting domain auth token for each domain
[Čt led 23 03:06:25 CET 2025] Getting webroot for domain='mail.artisys.cz'
[Čt led 23 03:06:25 CET 2025] Getting webroot for domain='www.artisys.cz'
[Čt led 23 03:06:25 CET 2025] Getting webroot for domain='artisys.cz'
[Čt led 23 03:06:25 CET 2025] Getting webroot for domain='mail.artisys.aero'
[Čt led 23 03:06:26 CET 2025] Getting webroot for domain='www.artisys.aero'
[Čt led 23 03:06:26 CET 2025] Getting webroot for domain='artisys.aero'
[Čt led 23 03:06:27 CET 2025] Getting webroot for domain='mail.artisys.eu'
[Čt led 23 03:06:27 CET 2025] Getting webroot for domain='www.artisys.eu'
[Čt led 23 03:06:27 CET 2025] Getting webroot for domain='artisys.eu'
[Čt led 23 03:06:28 CET 2025] Getting webroot for domain='www.aerospace.cz'
[Čt led 23 03:06:28 CET 2025] Verifying: mail.artisys.cz
[Čt led 23 03:06:32 CET 2025] Pending
[Čt led 23 03:06:35 CET 2025] Pending
[Čt led 23 03:06:38 CET 2025] Pending
[Čt led 23 03:06:41 CET 2025] Pending
[Čt led 23 03:06:44 CET 2025] Pending
[Čt led 23 03:06:47 CET 2025] Pending
[Čt led 23 03:06:50 CET 2025] Pending
[Čt led 23 03:06:53 CET 2025] Success
[Čt led 23 03:06:53 CET 2025] Verifying: www.artisys.cz
[Čt led 23 03:06:58 CET 2025] Pending
[Čt led 23 03:07:01 CET 2025] Pending
[Čt led 23 03:07:03 CET 2025] Success
[Čt led 23 03:07:04 CET 2025] Verifying: artisys.cz
[Čt led 23 03:07:07 CET 2025] Pending
[Čt led 23 03:07:10 CET 2025] Success
[Čt led 23 03:07:10 CET 2025] Verifying: mail.artisys.aero
[Čt led 23 03:07:14 CET 2025] Pending
[Čt led 23 03:07:17 CET 2025] Pending
[Čt led 23 03:07:20 CET 2025] Pending
[Čt led 23 03:07:23 CET 2025] Pending
[Čt led 23 03:07:26 CET 2025] Success
[Čt led 23 03:07:26 CET 2025] Verifying: www.artisys.aero
[Čt led 23 03:07:30 CET 2025] Pending
[Čt led 23 03:07:33 CET 2025] Pending
[Čt led 23 03:07:36 CET 2025] Pending
[Čt led 23 03:07:39 CET 2025] Pending
[Čt led 23 03:07:42 CET 2025] Success
[Čt led 23 03:07:42 CET 2025] Verifying: artisys.aero
[Čt led 23 03:07:46 CET 2025] Pending
[Čt led 23 03:07:49 CET 2025] Pending
[Čt led 23 03:07:51 CET 2025] Pending
[Čt led 23 03:07:54 CET 2025] Pending
[Čt led 23 03:07:57 CET 2025] artisys.aero:Verify error:83.146.60.102: Fetching http://artisys.aero/.well-known/acme-challenge/Zy47bVFJYWvIH-cV_UYuFz9Q6tt_ZeUMoeBR_75RasY: Timeout during connect (likely firewall problem)
[Čt led 23 03:07:58 CET 2025] Please add '--debug' or '--log' to check more details.
[Čt led 23 03:07:58 CET 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Čt led 23 03:08:07 CET 2025] Error renew mail.artisys.cz.
[Čt led 23 03:08:07 CET 2025] ===End cron===

2025-01-27 - one unsuccessful renew with new acme.sh:

[Po led 27 15:10:57 CET 2025] ===Starting cron===
[Po led 27 15:10:57 CET 2025] Renewing: 'mail.artisys.cz'
[Po led 27 15:10:57 CET 2025] Renewing using Le_API=https://acme.zerossl.com/v2/DV90
[Po led 27 15:10:58 CET 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Po led 27 15:10:59 CET 2025] Multi domain='DNS:mail.artisys.cz,DNS:www.artisys.cz,DNS:artisys.cz,DNS:mail.artisys.aero,DNS:www.artisys.aero,DNS:artisys.aero,DNS:mail.artisys.eu,DNS:www.artisys.eu,DNS:artisys.eu,DNS:www.aerospace.cz'
[Po led 27 15:11:26 CET 2025] Getting webroot for domain='mail.artisys.cz'
[Po led 27 15:11:26 CET 2025] Getting webroot for domain='www.artisys.cz'
[Po led 27 15:11:26 CET 2025] Getting webroot for domain='artisys.cz'
[Po led 27 15:11:27 CET 2025] Getting webroot for domain='mail.artisys.aero'
[Po led 27 15:11:27 CET 2025] Getting webroot for domain='www.artisys.aero'
[Po led 27 15:11:27 CET 2025] Getting webroot for domain='artisys.aero'
[Po led 27 15:11:27 CET 2025] Getting webroot for domain='mail.artisys.eu'
[Po led 27 15:11:27 CET 2025] Getting webroot for domain='www.artisys.eu'
[Po led 27 15:11:27 CET 2025] Getting webroot for domain='artisys.eu'
[Po led 27 15:11:28 CET 2025] Getting webroot for domain='www.aerospace.cz'
[Po led 27 15:11:28 CET 2025] mail.artisys.cz is already verified, skipping http-01.
[Po led 27 15:11:28 CET 2025] www.artisys.cz is already verified, skipping http-01.
[Po led 27 15:11:28 CET 2025] artisys.cz is already verified, skipping http-01.
[Po led 27 15:11:28 CET 2025] mail.artisys.aero is already verified, skipping http-01.
[Po led 27 15:11:29 CET 2025] www.artisys.aero is already verified, skipping http-01.
[Po led 27 15:11:29 CET 2025] Verifying: artisys.aero
[Po led 27 15:11:31 CET 2025] Processing. The CA is processing your order, please wait. (1/30)
[Po led 27 15:11:36 CET 2025] The retryafter=86400 value is too large (> 600), will not retry anymore.
[Po led 27 15:11:36 CET 2025] Please add '--debug' or '--log' to see more information.
[Po led 27 15:11:36 CET 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Po led 27 15:11:36 CET 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Po led 27 15:11:38 CET 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Po led 27 15:11:40 CET 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Po led 27 15:11:42 CET 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Po led 27 15:11:45 CET 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Po led 27 15:11:55 CET 2025] Error renewing mail.artisys.cz.
[Po led 27 15:11:55 CET 2025] ===End cron===

2025-01-27 - successful renew without artisys.aero:

[Po led 27 16:20:25 CET 2025] ===End cron===
CHANGE CERTS
 * Checking nginx' configuration ... [ ok ]
 * Refreshing nginx' configuration ... [ ok ]
 * Reloading postfix  ... [ ok ]
 * Stopping courier-pop3d over SSL ... [ ok ]
 * Starting courier-pop3d over SSL ... [ ok ]
 * Stopping courier-imapd over SSL ... [ ok ]
 * Starting courier-imapd over SSL ... [ ok ]
CERTS CHANGED
[Po led 27 16:25:14 CET 2025] ===Starting cron===
[Po led 27 16:25:14 CET 2025] Renewing: 'mail.artisys.cz'
[Po led 27 16:25:14 CET 2025] Renewing using Le_API=https://acme.zerossl.com/v2/DV90
[Po led 27 16:25:16 CET 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Po led 27 16:25:16 CET 2025] Multi domain='DNS:mail.artisys.cz,DNS:www.artisys.cz,DNS:artisys.cz,DNS:mail.artisys.aero,DNS:www.artisys.aero,DNS:mail.artisys.eu,DNS:www.artisys.eu,DNS:artisys.eu,DNS:www.aerospace.cz'
[Po led 27 16:25:48 CET 2025] Getting webroot for domain='mail.artisys.cz'
[Po led 27 16:25:48 CET 2025] Getting webroot for domain='www.artisys.cz'
[Po led 27 16:25:48 CET 2025] Getting webroot for domain='artisys.cz'
[Po led 27 16:25:49 CET 2025] Getting webroot for domain='mail.artisys.aero'
[Po led 27 16:25:49 CET 2025] Getting webroot for domain='www.artisys.aero'
[Po led 27 16:25:49 CET 2025] Getting webroot for domain='mail.artisys.eu'
[Po led 27 16:25:49 CET 2025] Getting webroot for domain='www.artisys.eu'
[Po led 27 16:25:49 CET 2025] Getting webroot for domain='artisys.eu'
[Po led 27 16:25:50 CET 2025] Getting webroot for domain='www.aerospace.cz'
[Po led 27 16:25:50 CET 2025] Verifying: mail.artisys.cz
[Po led 27 16:25:53 CET 2025] Processing. The CA is processing your order, please wait. (1/30)
[Po led 27 16:26:01 CET 2025] Success
[Po led 27 16:26:01 CET 2025] Verifying: www.artisys.cz
[Po led 27 16:26:03 CET 2025] Processing. The CA is processing your order, please wait. (1/30)
[Po led 27 16:26:06 CET 2025] Success
[Po led 27 16:26:06 CET 2025] Verifying: artisys.cz
[Po led 27 16:26:10 CET 2025] Processing. The CA is processing your order, please wait. (1/30)
[Po led 27 16:26:19 CET 2025] Success
[Po led 27 16:26:19 CET 2025] Verifying: mail.artisys.aero
[Po led 27 16:26:22 CET 2025] Processing. The CA is processing your order, please wait. (1/30)
[Po led 27 16:26:26 CET 2025] Success
[Po led 27 16:26:26 CET 2025] Verifying: www.artisys.aero
[Po led 27 16:26:28 CET 2025] Processing. The CA is processing your order, please wait. (1/30)
[Po led 27 16:26:32 CET 2025] Success
[Po led 27 16:26:32 CET 2025] Verifying: mail.artisys.eu
[Po led 27 16:26:36 CET 2025] Processing. The CA is processing your order, please wait. (1/30)
[Po led 27 16:26:40 CET 2025] Success
[Po led 27 16:26:40 CET 2025] Verifying: www.artisys.eu
[Po led 27 16:26:45 CET 2025] Processing. The CA is processing your order, please wait. (1/30)
[Po led 27 16:26:52 CET 2025] Success
[Po led 27 16:26:52 CET 2025] Verifying: artisys.eu
[Po led 27 16:26:54 CET 2025] Processing. The CA is processing your order, please wait. (1/30)
[Po led 27 16:26:57 CET 2025] Success
[Po led 27 16:26:58 CET 2025] Verifying: www.aerospace.cz
[Po led 27 16:27:02 CET 2025] Processing. The CA is processing your order, please wait. (1/30)
[Po led 27 16:27:06 CET 2025] Success
[Po led 27 16:27:06 CET 2025] Verification finished, beginning signing.
[Po led 27 16:27:06 CET 2025] Let's finalize the order.
[Po led 27 16:27:06 CET 2025] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/A3Y6F_9PiIAvPM7DSRz2TA/finalize'
[Po led 27 16:27:08 CET 2025] Order status is 'processing', let's sleep and retry.
[Po led 27 16:27:08 CET 2025] Sleeping for 15 seconds then retrying
[Po led 27 16:27:23 CET 2025] Polling order status: https://acme.zerossl.com/v2/DV90/order/A3Y6F_9PiIAvPM7DSRz2TA
[Po led 27 16:27:25 CET 2025] Downloading cert.
[Po led 27 16:27:25 CET 2025] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/UkUdOzSG0mOH5HCFnR9dxA'
[Po led 27 16:27:29 CET 2025] Cert success.
-----BEGIN CERTIFICATE-----
    ....
-----END CERTIFICATE-----
[Po led 27 16:27:29 CET 2025] Your cert is in: /home/letsencrypt/cert//mail.artisys.cz/mail.artisys.cz.cer
[Po led 27 16:27:29 CET 2025] Your cert key is in: /home/letsencrypt/cert//mail.artisys.cz/mail.artisys.cz.key
[Po led 27 16:27:29 CET 2025] The intermediate CA cert is in: /home/letsencrypt/cert//mail.artisys.cz/ca.cer
[Po led 27 16:27:29 CET 2025] And the full-chain cert is in: /home/letsencrypt/cert//mail.artisys.cz/fullchain.cer
[Po led 27 16:27:30 CET 2025] ===End cron===
[Po led 27 16:40:03 CET 2025] ===Starting cron===
[Po led 27 16:40:03 CET 2025] Renewing: 'mail.artisys.cz'
[Po led 27 16:40:03 CET 2025] Renewing using Le_API=https://acme.zerossl.com/v2/DV90
[Po led 27 16:40:03 CET 2025] Skipping. Next renewal time is: 2025-03-27T15:27:29Z
[Po led 27 16:40:03 CET 2025] Add '--force' to force renewal.
[Po led 27 16:40:03 CET 2025] Skipped mail.artisys.cz
[Po led 27 16:40:03 CET 2025] ===End cron===
2

Welcome @bahula

Your nginx server block looks good but there must be something interfering with http requests to that domain.

The problem with artisys.aero also affects requests for your "home" page. From my own test server I timeout for any request to that domain. I get an almost instant response from www.artisys.aero. Could you have some sort of firewall affecting only your apex domain?

curl -i -m10 http://artisys.aero
curl: (28) Connection timed out after 10000 milliseconds

curl -i -m10 http://www.artisys.aero
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.2
Location: https://www.artisys.aero/

The Let's Debug test site also reproduces this problem and is good to help debug: Let's Debug

1 Like
3

Here is what I see for DNS

image
image1052×490 7.34 KB

4

Hi, found !!

Big thanks for all.
Mistake is in providers DNS setting for artisys.aero

83.146.60.102 ==>> 83.148.60.102
     ^                  ^
3 Likes