Certbot Renewal Failing for domain phpipam.diamondstatenetworks.com

Archebald · February 8, 2023, 10:59am

I ran this command: sudo certbot certonly --apache -v

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: phpipam.diamondstatenetworks.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for phpipam.diamondstatenetworks.com
Performing the following challenges:
http-01 challenge for phpipam.diamondstatenetworks.com
Waiting for verification...
Challenge failed for domain phpipam.diamondstatenetworks.com
http-01 challenge for phpipam.diamondstatenetworks.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: phpipam.diamondstatenetworks.com
Type: dns
Detail: no valid A records found for phpipam.diamondstatenetworks.com; no valid AAAA records found for phpipam.diamondstatenetworks.com

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): 18.04.1-Ubuntu

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2

I also checked the domain with DNS. It has an A record.

Thanks!

Archebald · February 8, 2023, 11:01am

Oh hmmmm. I had an SSL cert on my privately addressed web server... how can I make this work with a privately addressed server... I don't actually want the server exposed to the Internet but I also do want every client complaining.

I just noticed this note: Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

rg305 · February 8, 2023, 11:43am

Hi @Archebald, and welcome to the LE community forum

Having an A record alone is not enough:

Name:    phpipam.diamondstatenetworks.com
Address: 10.240.3.4

If the Internet can't reach your server via HTTP, then you shouldn't use HTTP-01 authentication in the request for a certificate.
The A record shown is NOT an IP that can be reached by anyone on the Internet.

I don't understand how you can have any clients:

I can only assume the complaint is related to the lack of a valid certificate on your web server.

Since, HTTP-01 authentication is not an option, you might want to try DNS-01 authentication.
And until all tests have been passed, you should use the LE testing/staging environment [not production LE systems] for all such tests.

Bruce5051 · February 9, 2023, 12:55am

Here is the list of issued certificates crt.sh | phpipam.diamondstatenetworks.com, the latest being 2023-02-08.
Looks the the OP's issue has been resolved, an assumption.

system · March 11, 2023, 12:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.