Cert renewed 3 months ago fine, but fails now

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
smartphoneagent.com
I ran this command:
virtualmin renew letsencrypt
It produced this output:

My web server is (include version):
Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is:
prgmr.com
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
virtualmin 6.16
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

Check you have an up to date version of virtualmin and certbot (your certbot is very old):

Also, when you do need help you have to post a log file or something, otherwise it's really hard to guess what the problem could be.

Hi, and thanks for your help

t# apt-get install --only-upgrade certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
certbot is already the newest version (0.40.0-1ubuntu0.1).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

Or did you mean something else?

Also virtualmin is the latest version

The logs are huge, here is what I hope will help. There are other domains associated as you'll see, but the unattended renew has all have been working fine until now

2021-08-17 11:50:39,647:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/22623346820 HTTP/1.1" 200 664
2021-08-17 11:50:39,648:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 17 Aug 2021 10:50:39 GMT
Content-Type: application/json
Content-Length: 664
Connection: keep-alive
Boulder-Requester: 124361339
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 00016usagRPTRgKuVlRBzaRHngQCuXxe_8B-Q-gFxhtT07k
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "smartphoneagent.co.uk"
},
"status": "invalid",
"expires": "2021-08-24T10:49:07Z",
"challenges": [
{
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: SERVFAIL looking up TXT for _acme-challenge.smartphoneagent.co.uk - the domain's nameservers may be malfunctioning",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/22623346820/rYfLjg",
"token": "Gqnr7nSTTccX6WQmQb8YXvvrA0q-apFuZHBDupY7Y3U",
"validated": "2021-08-17T10:50:08Z"
}
]
}
2021-08-17 11:50:39,649:DEBUG:acme.client:Storing nonce: 00016usagRPTRgKuVlRBzaRHngQCuXxe_8B-Q-gFxhtT07k
2021-08-17 11:50:39,649:DEBUG:acme.client:JWS payload:
b''
2021-08-17 11:50:39,651:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/22623346830:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTI0MzYxMzM5IiwgIm5vbmNlIjogIjAwMDE2dXNhZ1JQVFJnS3VWbFJCemFSSG5nUUN1WHhlXzhCLVEtZ0Z4aHRUMDdrIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yMjYyMzM0NjgzMCJ9",
"signature": "P1TRXiADLJo_ThrOWTOUDdW7SJoDv_coz1TRggTS843KzcczNAyCHvewebAIpjcF61F_yDo6XDkw88C4lEna-67haWGm8-3hljlwnggWhy-hNPaWmBr9Odx5mNg6Gc29iSJVvzXGyLEmbm7Y1i0bFYvKIK79_YJ3auC-31e3Hl9qgQADxP2V-Br65GNOIvOU7V_vDORqHt0APk7f8AVot_R8eUY1ZK9KWspkmpcX9tOtglBBkqUudz_AYjIhUgxqM-ciGkVzk7GUUgaSgE0DAOCOufqcHi4DUFNJu7cXfMbB0EcNmbs9aj1q9KjQTmUyOauQZ0BaUxpQST5Bf6BIgQ",
"payload": ""
}
2021-08-17 11:50:39,699:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/22623346830 HTTP/1.1" 200 618
2021-08-17 11:50:39,700:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 17 Aug 2021 10:50:39 GMT
Content-Type: application/json
Content-Length: 618
Connection: keep-alive
Boulder-Requester: 124361339
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 00028nG1M9Bn2C4xbhv4zrC6Vxj2DJKvcGToyi7ARULSeoc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "smartphoneagent.net"
},
"status": "invalid",
"expires": "2021-08-24T10:49:07Z",
"challenges": [
{
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: query timed out looking up TXT for _acme-challenge.smartphoneagent.net",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/22623346830/NKnkug",
"token": "3VEjbjIoIPngfZE4N-DdQNW6E5xh_N0ywGrL_fEmlU0",
"validated": "2021-08-17T10:50:08Z"
}
]
}
2021-08-17 11:50:39,701:DEBUG:acme.client:Storing nonce: 00028nG1M9Bn2C4xbhv4zrC6Vxj2DJKvcGToyi7ARULSeoc
2021-08-17 11:50:39,701:WARNING:certbot.auth_handler:Challenge failed for domain mail.smartphoneagent.co.uk
2021-08-17 11:50:39,701:WARNING:certbot.auth_handler:Challenge failed for domain mail.smartphoneagent.net
2021-08-17 11:50:39,702:WARNING:certbot.auth_handler:Challenge failed for domain smartphoneagent.co.uk
2021-08-17 11:50:39,702:WARNING:certbot.auth_handler:Challenge failed for domain smartphoneagent.net
2021-08-17 11:50:39,702:INFO:certbot.auth_handler:dns-01 challenge for mail.smartphoneagent.co.uk
2021-08-17 11:50:39,702:INFO:certbot.auth_handler:dns-01 challenge for mail.smartphoneagent.net
2021-08-17 11:50:39,702:INFO:certbot.auth_handler:dns-01 challenge for smartphoneagent.co.uk
2021-08-17 11:50:39,702:INFO:certbot.auth_handler:dns-01 challenge for smartphoneagent.net
2021-08-17 11:50:39,703:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: mail.smartphoneagent.co.uk
Type: dns
Detail: DNS problem: query timed out looking up TXT for _acme-challenge.mail.smartphoneagent.co.uk

Domain: mail.smartphoneagent.net
Type: dns
Detail: DNS problem: query timed out looking up TXT for _acme-challenge.mail.smartphoneagent.net

Domain: smartphoneagent.co.uk
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.smartphoneagent.co.uk - the domain's nameservers may be malfunctioning

Domain: smartphoneagent.net
Type: dns
Detail: DNS problem: query timed out looking up TXT for _acme-challenge.smartphoneagent.net
2021-08-17 11:50:39,704:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-08-17 11:50:39,705:DEBUG:certbot.error_handler:Calling registered functions
2021-08-17 11:50:39,705:INFO:certbot.auth_handler:Cleaning up challenges
2021-08-17 11:50:39,705:INFO:certbot.hooks:Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
2021-08-17 11:50:42,921:INFO:certbot.hooks:Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
2021-08-17 11:50:46,108:INFO:certbot.hooks:Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
2021-08-17 11:50:49,291:INFO:certbot.hooks:Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
2021-08-17 11:50:52,487:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/letsencrypt", line 11, in
load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

The 'SERVFAIL' result implies your DNS is slightly broken. I tried it using dig and got an error, then it worked. Something intermittent?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.