Changed hosting, old server throws error

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bpsi.es

I ran this command:

It produced this output:

My web server is (include version): Plesk Onyx Version 17.8.11 ‪CentOS Linux 7.6.1810 (Core)‬

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hello,

one of my customers, decided to redesign his webpage. the web designers decided to host the web at their server, while the rest of services (like email and dns) stay on my server.

i removed his certifcates from my plesk control panel, but now i get error emails every single day, because LE is trying to renew a cert that doesn’t exist anymore, but as the webpage is no longer under my control, i can’t do anything about it.

i don’t have SSH access to my server, but my datcenter guys do.
so if you could provide me with some help/instructions how to fix this, to get rid of this error messages for good (this has been going on for half a year i just didn’t have time to deal with it), i’ll pass the instructions to the datacenter guys to sort it out.

thx in advance!

Could not secure domains with Let’s Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:

The following domains have been secured without some of their Subject Alternative Names:

Could not renew Let’s Encrypt certificates for Administrator (login admin). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let’s Encrypt certificates has failed:

The following Let’s Encrypt certificates have been renewed without some of their Subject Alternative Names:

Legend:
[+] This domain is secure. The domain’s SSL/TLS certificate from Let’s Encrypt has been issued/renewed.
This domain is not secure. Either the domain’s SSL/TLS certificate from Let’s Encrypt could not be issued/renewed or the domain name was excluded from the certificate. Renew the certificate manually or request a new one to secure this domain.

2

Hi,

I believe that’s normal.
Although you have the web hosting moved to developer’s server, you still have their email hosting (which needs the certificate for mail servers).

Since you mentioned that the DNS / NS Server for that domain is still on your server, you could try to change the Let’s Encrypt certificate isurance process to use DNS instead of HTTP.

Thank you

3

Hi @zanda

checking your domain your configuration looks wrong ( https://check-your-website.server-daten.de/?q=bpsi.es ):

You have two different ip addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
bpsi.es A 77.235.58.37 Amsterdam/North Holland/Netherlands (NL) - LeaseWeb NL Hostname: srv.qwerty-solutions.com yes 1 0
AAAA yes
www.bpsi.es A 89.248.104.152 Pozuelo de Alarcón/Madrid/Spain (ES) - Internet Access Interdominios Hostname: 89-248-104-152.redes.interdominios.com yes 1 0
AAAA yes

So the non-www is your plesk, the www is the website.

But you have a wrong or not complete redirect:

Domainname Http-Status redirect Sec. G
http://bpsi.es/
77.235.58.37 301 http://www.bpsi.es/
Html is minified: 109,46 % 0.040 D
http://www.bpsi.es/
89.248.104.152 GZip used - 8107 / 60142 - 86,52 % 200 Html is minified: 156,91 % 1.200 H
https://bpsi.es/
77.235.58.37 301 https://www.bpsi.es/
Html is minified: 109,46 % 3.377 N
Certificate error: RemoteCertificateNameMismatch
https://www.bpsi.es/ 89.248.104.152 GZip used - 8193 / 60086 - 86,36 % Inline-JavaScript (∑/total): 1/477 Inline-CSS (∑/total): 0/0 200 Html is minified: 157,01 % 4.320 N
Certificate error: RemoteCertificateNameMismatch
http://bpsi.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
77.235.58.37 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 301 http://www.bpsi.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de Html is minified: 109,46 % 0.044 D
Visible Content: 301 Moved Permanently nginx
http://www.bpsi.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
89.248.104.152 Inline-JavaScript (∑/total): 1/477 Inline-CSS (∑/total): 0/0 404 Html is minified: 158,64 % 1.160 A
Not Found

http + non-www is redirected to http + www.

Normally, that's ok. But with your setup, that's the problem.

Because http + non-www + /.well-known/acme-challenge is redirected too.

So

  • remove the redirect complete (or)
  • add a definition, so /.well-known/acme-challenge isn't redirected. Check your Plesk how to do that in Plesk.

Result: You can't renew the non-www certificate, because the validation is redirected to your other server.

But that's a configuration error.

4

If you want to stop maintaining a certificate for that name, you might want to ask a Plesk forum how to do that, instead of here. :sweat_drops:

5

@ JuergenAuer
like i explained in my opening message, i have no control over the web anymore. it has been MOVED to another hosting, but my hosting still gets the cert errors.

@ mnordhoff
lets forget for a second that i use plesk.
how about fixing this through SSH with certbot? can you help with that?

@ stevenzhu
their mail has no certs. i REMOVED all certs for that domain from my server, still get these errors.

6

Looks like you have control over the non-www version:

The ip of the non-www: 77.235.58.37

The mail and the other name servers have the same ip:

D:\temp>nslookup -type=MX bpsi.es. ns.qwerty-soluciones.com.
Server: nuclebar.com
Address: 77.235.58.37

bpsi.es MX preference = 0, mail exchanger = bpsi-es.mail.protection.outlook.com
bpsi.es nameserver = ns.qwerty-solutions.com
bpsi.es nameserver = ns1.bpsi.es
bpsi.es nameserver = ns2.bpsi.es
bpsi.es nameserver = ns.qwerty-soluciones.com
ns.qwerty-soluciones.com internet address = 77.235.58.37
ns2.bpsi.es internet address = 77.235.58.37
ns1.bpsi.es internet address = 77.235.58.37
ns.qwerty-solutions.com internet address = 77.235.58.37

So it's the same ip address.

Who controls / manages 77.235.58.37 ?

7

I / my datacenter guys do. but the error indicates that it's looking for a file
http://www.bpsi.es/.well-known/acme-challenge/yvntFKy9Vb9iq9HyLa1q_FdMTMtBz_mTc91XQijQ0qo

i do NOT have access to that adress. www.bpsi.es is on another server that doesnt belong to me.

8

Please read my first answer.

You have a redirect non-www -> www, so it's your wrong redirect.

9

How to fix it depends on what software is managing the certificate -- Plesk or your own Certbot setup. Plesk can't be ignored without confirming that it's not involved. If it is involved, making changes to Certbot's configuration might just confuse Plesk.

10

i'll try that and will come back to you tomorrow. thank you.

12

@ JuergenAuerCommunity leader

i made the changes you asked. only the NS records point to my server, all others point to the new web hosting. could you check it?

even after making the changes last night, i still got the error email just a few minutes ago:

again, the cert was emitted and later deleted on MY server, but for some reason it still tries to renew it by searching a file on http://www.bpsi.es/ which as i stated before, is out of my control.

there HAS to be a way to clean this / delete this through SSH & certbot?

PS: i used your link from your first answer, to check on the domain and that page still reports bpsi.es to point to the wrong IP, while all othe tests i have done, already point to the new ip.

irrelevant. new hosting didn't restore anything. it's a complete new website on a new provider and all that remains on my server is DNS

13

No, you didn't. Use the online tool or see the result: Domain is without www, but Letsencrypt checks the www version.

It's not a name server problem, it's a problem of your webserver configuration you have to fix.

http + non-www + /.well-known/acme-challenge/random-filename -> no redirect to http + www.

14

it seems to me that your tool is outdated or just takes a really long time to update DNS

here, try this one:

https://mxtoolbox.com/SuperTool.aspx?action=a%3Abpsi.es&run=toolpage#

edit: there is NOTHING on my server, other than DNS entries.
no web, no redirect, no NOTHING.
only DNS records which point bpsi.es and www.bpsi.es to the new server. server that i can NOT configure, edit or change ANYTHING

so, why does LE insist on send ME emails about not being able to renew a cert that

  1. doesn’t even exist anymore
  2. has been removed 6 month ago (EDIT: my datacenter informed me that this is not entirely correct, as webmail.bpsi.es was still being used until i made the changes yesterday)
  3. belonged to a web that is on a whole different provider and server now
  4. and BTW that web doesn’t even have https or certs
15

There is no new check. Last check - 2019-09-18, 19:50, that's yesterday.

16

well i guess there is the problem then, hehe.
that tool needs a new -uptodate- check.

17

The existing Check-Button is enough. A lot of users recheck their domains.

18

earlier today i was getting this error on your tool:

now it seems it has worked and data seems to be updated. (16:44)

link

as you can see, the changes you asked for have been made correctly, yes?

so, will the problem fix it self and i will stop receiving those emails or is there anything else that needs to be done?

19

No, that's again wrong.

Domainname Http-Status redirect Sec. G
http://bpsi.es/
89.248.104.152 301 http://www.bpsi.es/
Html is minified: 100,00 % 0.110 D
http://www.bpsi.es/
89.248.104.152 GZip used - 8206 / 60232 - 86,38 % 200 Html is minified: 156,79 % 2.120 H
https://bpsi.es/
89.248.104.152 301 http://www.bpsi.es/
Html is minified: 100,00 % 3.343 N
Certificate error: RemoteCertificateNameMismatch
https://www.bpsi.es/
89.248.104.152 GZip used - 8206 / 60232 - 86,38 %
Inline-JavaScript (∑/total): 1/477 Inline-CSS (∑/total): 0/0 200 Html is minified: 156,79 % 4.230 N
Certificate error: RemoteCertificateNameMismatch
http://bpsi.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
89.248.104.152
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 301 http://www.bpsi.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
Html is minified: 100,00 % 0.107 D
Visible Content: Moved Permanently The document has moved here . Apache/2.4.10 (Debian) Server at bpsi.es Port 80
http://www.bpsi.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
89.248.104.152
Inline-JavaScript (∑/total): 1/477 Inline-CSS (∑/total): 0/0 404 Html is minified: 158,64 % 1.877 A
Not Found

Non-www is redirected to www. But now the ip address has changed:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
bpsi.es A 89.248.104.152 Pozuelo de Alarcón/Madrid/Spain (ES) - Internet Access Interdominios Hostname: 89-248-104-152.redes.interdominios.com yes 1 0
AAAA yes
www.bpsi.es A 89.248.104.152 Pozuelo de Alarcón/Madrid/Spain (ES) - Internet Access Interdominios Hostname: 89-248-104-152.redes.interdominios.com yes 1 0
AAAA yes

So both versions (non-www and www) use the new server.

May be that fixes the problem.

20

i am not understanding what you want me to do

everything points to the new server: 89.248.104.152

there is NOTHING left on my server. no files, no web host, no email , NOTHING.
only DNS, and they point to 89.248.104.152

so what it is that you want me to do here?

21

Yep, that may have fixed the problem.

First I saw the redirect. Then I saw the changed ip address. So the 77.* server should stop to try creating a certificate.