Certificate renewal fails

My domain is: https://www.daggerlaw.com/

I ran this command: NA

It produced this output: NA

My web server is (include version): DV w/SSDs (CentOS 7)

The operating system my web server runs on is (include version): ‪CentOS Linux 7.5.1804 (Core)‬
My hosting provider, if applicable, is: MediaTemple

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Onyx 17.5.3

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Sorry, not sure what this means.

Hello

The certificate will not renew either automatically or manually. I believe the problem is DNS related but I’m a little out of my league here so I’m not absolutely certain.

This is the error message I get when attempting a manual upgrade:
Your domain in Plesk is hosted on the IP address(es): 72.10.36.133 , but the DNS challenge used another IP: 24.123.121.130 . Make sure that the IP address(es) specified in the domain’s DNS zone match the IP address(es) the domain is hosted on.*

As you can probably tell by the error message we are hosting the site at one IP and the DNS contains another different IP (for mail, etc.). The client has established an www A record to point to our server’s IP in order to allow the site to display at their domain, but all other A records point to a different IP address. Is it possible to correct this problem by adding an additional A record, and, if so, what should that record be? And if, not what can I do to remedy this?

Any help would be greatly appreciated. Thanks in advance, Tom

Hi @ttrusty,

You could set up an HTTP redirect on the daggerlaw.com server to redirect everything under http://daggerlaw.com/.well-known/acme-challenge/ to the corresponding location under http://www.daggerlaw.com/.well-known/acme-challenge/. In this case Plesk would be technically capable of passing the challenges, although I’m not sure whether it would automatically detect that it was capable of doing so.

Alternatively, you could tell the www.daggerlaw.com machine that it is not responsible for web requests to daggerlaw.com. Then if you want a certificate to work for https://daggerlaw.com/, you would need to obtain that certificate directly on the daggerlaw.com server.

1 Like

Hi schoen,

Thanks for the quick and detailed response. I’ll have to do a little research on that redirect—assume I can handle it in the .htaccess file.

Not sure all all about your second option. If I have to go that route I’ll research it also. May be back here with questions.

First time in this forum. Is there a way I should give you positive feedback for your answer?

Thanks again, for your help!

1 Like

Good luck, and let us know if you have further questions. You can click on the heart icon below a post to show appreciation for that post.

The Let’s Encrypt forum uses forum software called Discourse

and our forum hosting is provided by the Discourse developers.

2 Likes

Off to a shakey start. I found the following and added it the .htaccess file but the site went down due to too many redirects.

Redirect all hits except for Let’s Encrypt’s ACME Challenge verification to example.com

RewriteCond %{REQUEST_URI} !^.well-known/acme-challenge
RewriteRule ^(.*) https://www.daggerlaw.com/$1 [R=301,L]

Thanks again.

Currently all of

http://daggerlaw.com/
http://www.daggerlaw.com/
and
https://www.daggerlaw.com/

do something reasonable when I check. Only

https://daggerlaw.com/

seems to have a problem.

1 Like

Thanks again Seth. I appreciate your help.

I finally connected with the client’s IT tech. He found that the DNS setup was causing the trouble. He added an A record and we were able to manually renew the certificate. I expect that it will auto renew when the time comes—fingers crossed.

Again, thanks for your help, Tom

1 Like