Certbot certonly --standalone fails for domain with CNAME

My domain is: test1.mrvanes.com

I ran this command:
certbot certonly --standalone --non-interactive --agree-tos --email letsencrypt@mrvanes.com --http-01-port=8888 -d test1.mrvanes.com

It produced this output (with CNAME for test1.mrvanes.com):

saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for test1.mrvanes.com
Performing the following challenges:
http-01 challenge for test1.mrvanes.com
Waiting for verification...
Challenge failed for domain test1.mrvanes.com
http-01 challenge for test1.mrvanes.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: test1.mrvanes.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for test1.mrvanes.com -
   check that a DNS record exists for this domain; no valid AAAA
   records found for test1.mrvanes.com

It produced this output (with A record for test1.mrvanes.com):

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for test1.mrvanes.com
Performing the following challenges:
http-01 challenge for test1.mrvanes.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/test1.mrvanes.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/test1.mrvanes.com/privkey.pem
   Your certificate will expire on 2022-10-11. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"

It's important to note that the command succeeds with CNAME when running wit --dry-run:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Simulating a certificate request for test1.mrvanes.com
Performing the following challenges:
http-01 challenge for test1.mrvanes.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful

My web server is (include version): haproxy (2.2.9) + certbot --standalone

Following this is a haproxy howto:

The operating system my web server runs on is (include version): Ubuntu 21.04

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Welcome to the community @mrvanes

That sounds very strange. Can you put the failing CNAME back in the DNS so we can take a look?

Right now I see just the A record

And, how long did you wait after adding the CNAME before your first cert request?

6 Likes

I waited a couple of minutes and the CNAMEs are now back in place, with TTL of 5 minutes

Does the problem repeat?

The DNS with the CNAME looks fine to me. And, the Let's Debug test against the staging system looks good. But I note you said that worked before.

Of course, I can't test against production with your domain and standalone. But, I get farther than being rejected for missing A record.

In short, I can't reproduce or see cause for that original error.

5 Likes

I did the same test on https://letsdebug.net/ and I was surprised to see the result as well. I now have two certificates for test1 and test2 but will see if I can reproduce later with CNAME's again.

One thing I changed now is that I had an invalid port forward on 443 for the target IP, but as I understood certonly --standalone for a new certificate request should never access 443 in the first place?

Yes, and no.
Yes, it shouldn't.
But, if HTTP is being redirected to HTTPS, then it would follow that redirection (and be forced to).

3 Likes

No, there wasn't a forced redirect on 80. I'll keep this topic updated when I find more evidence (or close if I can't reproduce anymore).

1 Like

Be sure to leave enough time for all the authoritative nameservers to synchronize any changes.

mrvanes.com     nameserver = ns1.naamservert.nl
mrvanes.com     nameserver = ns2.naamservert.nl
3 Likes

I can't reproduce so it probably was a PEBKAC.
Apologies for the noise!

2 Likes