My domain is: banksidesystems.com
The certificate for our domain will not renew using Certify Certificate Manager 6.0.18.0. It says Validation of teh required challenges did not complete successfully. Looks like it can't find an A record or AAA record. A record definitely exists. Is this likely related to this announcement? Deploying Let's Encrypt's New Issuance Chains. If so, is this likely to be a temporary issue whilst the update happens?
What makes you think the A or AAAA record exist for banksidesystems.com? It doesn't look like they exist when I query them from my system.
Let's Debug doesn't complain about the www subdomain at least.. Maybe try again?
If it still doesn't work:
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
The error dialog that comes up on trying to renew the certificate says 'Response from Certificate Authority: no valid A records found for banksidesystems.com; no valid AAA records found for banksidesystems.com'...
@mikew5163 The past year you only got certificates for the www subdomain of your domain: crt.sh | banksidesystems.com
I concur with Peter that there is no A or AAAA RR for the apex domain banksidesystems.com. If you want a certificate for banksidesystems.com too, you should add the A and/or AAAA RR.
Also, as you haven't gotten any recent certificates for banksidesystems.com to begin with, I'm highly doubting you're trying to RENEW a certificate for the banksidesystems.com hostname?
Sorry Peter I misread your question! What tool are you using to check for the A record? It certainly should exist!
Via Google's web interface:
https://dns.google/query?name=banksidesystems.com&rr_type=A&ecs=
Via Let's Debug:
Checking your authoritative server directly (from a Windows machine in this case)
nslookup -norecurse banksidesystems.com. ns1.livedns.co.uk.
As @Osiris said, it may be that you've only used www.banksidesystems.com in the past, and that you've never set up banksidesystems.com.
Thank you so much Peter and Osiris,
You were quite correct - we had never set up an A record for banksidesystems.com and were just using the www version (Chrome hides this these days of course so I think we just didn't realise). It may be my colleague did just add the non-www domain to the certificate - I will check.
However, I have now created an A record for the root domain and the certificate has now renewed successfully!
Thank you once again.
Mike
This is the first time ever that you've issued a certificate for www.banksidesystems.com and banksidesystems.com with Let's Encrypt and thus would not count as a renewal.
Well, that history doesn't show it as the first time ever, just the first time since they switched to Let's Encrypt in 2023. It might be that the validation before Let's Encrypt was manual DNS-based and so the hostname still might not have had an address before.
That's why I said "with Let's Encrypt". I think I wouldn't count a certificate as a renewal if it was changing CAs.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.