Certificate Renew Failure

Hey everyone, I've been failing to be able to renew the certificate for my domain. I've been messing around myself a bit but I am simply unable to figure out where the issue could be. Here is the information I need to provide:

My domain is: https://dagoth.xyz/

I ran this command: sudo certbot renew

It produced this output:

sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/dagoth.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate for dagoth.xyz
Performing the following challenges:
http-01 challenge for dagoth.xyz
Waiting for verification...
Challenge failed for domain dagoth.xyz
http-01 challenge for dagoth.xyz
Cleaning up challenges
Failed to renew certificate dagoth.xyz with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.dagoth.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/metukim.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/mail.dagoth.xyz/fullchain.pem expires on 2023-04-17 (skipped)
  /etc/letsencrypt/live/metukim.xyz/fullchain.pem expires on 2023-06-07 (skipped)
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/dagoth.xyz/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dagoth.xyz
   Type:   unauthorized
   Detail: 2001:19f0:5:5eac:5400:3ff:fef1:f13c: Invalid response from
   https://dagoth.xyz/.well-known/acme-challenge/vMT5UnPQSXFN2aoUNzAy2kx2zQewp4POv_LfUM0917I:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Debian GNU/Linux 11 (bullseye)

My hosting provider, if applicable, is: Vultr

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Vultr Control Panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

I'd appreciate some help. Apparently the due date for the cert is 14th of March and I am getting a bit anxious, haha. I may add that I have a cronjob running to renew the certbot and it seems like the last time it actually overwrote the file has been december of last year. I am not sure what I have done abck then that could have caused the failure. If I remember correctly I was (unsuccessfully) trying to setup a mail server around that time. Maybe I have done something that messed it up while trying to do that?

1 Like

Welcome to the community @dagoth666

My preliminary tests don't show anything obviously wrong. Can you post the letsencrypt.log file? Copy it to a txt and use the upload button on the post menu. Else, copy/paste it here but please put 3 backticks before and after the output it will be very long.

Example
```
contents of: /var/log/letsencrypt/letsencrypt.log
```

3 Likes

Hey @MikeMcQ thanks for the reply! I am attaching the log file here.
letsencrypt.txt (1.1 MB)

1 Like

Thanks. I see several things of concern but let's first focus on why the nginx plug-in isn't working right. The temp nginx changes looked fine to me.

But, what does this command do?

sudo certbot renew --dry-run --cert-name dagoth.xyz --nginx-sleep-seconds 10
3 Likes

I see! Here is the output after running the command you provided.

root@vultr:~# sudo certbot renew --dry-run --cert-name dagoth.xyz --nginx-sleep-seconds 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/dagoth.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Simulating renewal of an existing certificate for dagoth.xyz
Performing the following challenges:
http-01 challenge for dagoth.xyz
Waiting for verification...
Challenge failed for domain dagoth.xyz
http-01 challenge for dagoth.xyz
Cleaning up challenges
Failed to renew certificate dagoth.xyz with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/dagoth.xyz/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dagoth.xyz
   Type:   unauthorized
   Detail: 2001:19f0:5:5eac:5400:3ff:fef1:f13c: Invalid response from
   https://dagoth.xyz/.well-known/acme-challenge/OQ8JaEXzRmE5VF5Lu7DvHd16iYQa6AeVau63g-61hgM:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

The DNS CAA record is wrong for letsencrypt.org

From here https://unboundtest.com/m/CAA/dagoth.xyz/WIXHAA5H

Query results for CAA dagoth.xyz

Response:
;; opcode: QUERY, status: NOERROR, id: 54147
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dagoth.xyz. IN CAA

;; ANSWER SECTION:
dagoth.xyz. 0 IN CAA 0 issue "trust-provider.com"
dagoth.xyz. 0 IN CAA 1 issue "letsencrypt.org"

And from here Hardenize Report: dagoth.xyz

ag with unknown flags
We've detected a CAA tag that has unknown flags set. The RFC defines only one tag, criticality, which is activated when the flag byte has its highest bit set; that's 128 decimal. Perhaps the current value is a configuration mistake?

Policy host: dagoth.xyz.

Tag: issue=letsencrypt.org

Flags: 0xb00000001
1 Like

Hmm. Ok, what about this one? Something odd is happening here

sudo certbot certonly --webroot -w /var/www/dagoth.xyz --dry-run --cert-name dagoth.xyz
3 Likes

Maybe so (not sure that flag matters) but it would not cause the nginx 404 failure anyway

3 Likes

Yep! You are correct @MikeMcQ

Alright, here is the output now:

root@vultr:/# sudo certbot certonly --webroot -w /var/www/dagoth --dry-run --cert-name dagoth.xyz
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for dagoth.xyz
Performing the following challenges:
http-01 challenge for dagoth.xyz
Using the webroot path /var/www/dagoth for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.

OK. There are two options. One, update your Certbot version to the latest snap version (see link here) or switch to using the webroot method.

Certbot is having some sort of trouble with your nginx config so updating it might help.

If you want to switch to webroot (probably easier), do this:

sudo certbot certonly --webroot -w /var/www/dagoth.xyz --cert-name dagoth.xyz --deploy-hook 'systemctl reload nginx'

Replace the deploy-hook command with your preferred way of reloading nginx.

Upon success it will get fresh cert and update the renewal conf so future certbot renew will use webroot method instead

4 Likes

Switching to webroot did the trick! Thank you so much for taking your free time to deal with my issue and being so friendly @MikeMcQ ! If you have a Ko-fi or something let me know so I can show my appreciation with a small donation!

1 Like

Your kind words are more than enough. Thanks

4 Likes