Completely baffled where to begin - renewal errors

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: colonelboom.co.uk

I ran this command: certbot --apache - then expanded on the domains

It produced this output:
Failed authorization procedure. colonelboom.co.uk (http-01): urn:ietf:params:acm e:error:unauthorized :: The client lacks sufficient authorization :: Invalid res ponse from http://colonelboom.co.uk/.well-known/acme-challenge/-QxtlZlzl-_4yQkQ2 l74bbj0MicqndeyplcvDB9tEFg [2a01:7e00::f03c:92ff:fe3e:ba8d]: "\n\n404 Not Found\n \n

Not Found

\n<p", webmail.colonelboom.co.uk (http-01): urn :ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for webmail.co lonelboom.co.uk - check that a DNS record exists for this domain, autodiscover.c olonelboom.co.uk (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOM AIN looking up A for autodiscover.colonelboom.co.uk - check that a DNS record ex ists for this domain, www.colonelboom.co.uk (http-01): urn:ietf:params:acme:erro r:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.colonelboom.co.uk/.well-known/acme-challenge/4r0bMHhx_sKxNc-DCBO LzOnERl_NjGAhdjbo1AiGNPg [2a01:7e00::f03c:92ff:fe3e:ba8d]: "\n\n404 Not Found\n</ head>\n

Not Found

\n<p", autoconfig.colonelboom.co.uk (http-01): ur n:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for autoconfi g.colonelboom.co.uk - check that a DNS record exists for this domain, mail.colon elboom.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client la cks sufficient authorization :: Invalid response from http://mail.colonelboom.co .uk/.well-known/acme-challenge/L2-_CTvbdkKQ7m-dMjpbHRNXnyMAW6CeSSrZnwnzxDs [2a01 :7e00::f03c:92ff:fe3e:ba8d]: "\n\n404 Not Found\n\n

Not Found

\n<p", admin.colonelboom.co.uk (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for admin.colonelboom.co.uk - check that a DNS r ecord exists for this domain

My web server is (include version): apache 2.4.38

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: Hosted on Linode, sadly no support but never needed it for most ssh work i can do

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Virtualmin 6.13

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

I am absolutely bewildered with getting my renewal to work, I am not sure what changed on the server but when I launched it, the letsencrypt ssl seemed to set itself up and I had no need for the bought certificate I had which i just didn't use.

It's managed to renew for months just fine, as such I have never really looking into what mechanisms were happening in order to do it. But since I disabled IPv6 which was causing a number of issues and not being used, I am now getting continuous renewal error emails.

I have gone into the backend of virtualmin to the ssl section, clicked to update manually and am getting:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for colonelboom.co.uk
Using the webroot path /home/colonelboom/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. colonelboom.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://colonelboom.co.uk/.well-known/acme-challenge/kS9gq5py4N3umXauy-SAERQ1pOG_pF2ZxTgU6vJCLro [2a01:7e00::f03c:92ff:fe3e:ba8d]: "\n\n404 Not Found\n\n

Not Found

\n<p"
IMPORTANT NOTES:

In the acme-challenge directory there is not the filename listed, there are two others which i assume were from my intended comodo install prior to letsencrypt just working and making it redundant.

My assumption is I need to reissue that file to upload but can't make out how to do this. If anyone can help I would appreciate it. I do have 20 days until this expires but I am trying to get out in front of it.

Thanks

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

The http-01 challenge files are automatically created by certbot (unless you specify --manual).

As I initially suspected, you have an IPv6 address (AAAA record in your DNS) that's probably pointing to a different server. Remove your AAAA record and try again.


It looks like you're getting several NXDOMAIN errors too. That's usually a problem with one or more DNS servers not having/serving the correct information.

I see no A/AAAA records (or CNAMEs) for the webmail, autodiscover, autoconfig, and admin subdomains.

1 Like

Hi, thanks for the quick reply, Griffin.

When i disabled IPv6 I made sure there were no DNS records for it. I have just pulled up the records again to be certain and there are no AAAA records.

These changes were done days ago too, unless linode nodes do dns in an odd way that I haven't had before on VPS and co-hosted servers which is entirely possible :smiley:

2 Likes

Better think again... :wink:

2 Likes

You made me think actually...

Linode nodes do have their own dns section for some reason, it's something I have never looked at since I setup the node.

In any case, thank you VERY much. I was completely baffled, but yeah, IPv6 records were still in place in the node rather than the cpanel.

Another renewal, all completed. :smiley:

2 Likes

Did you get all the subdomains to certify with no A/AAAA records?

I only see a certificate for the apex domain (colonelboom.co.uk).

1 Like

I have not done the mail subdomain yet, the rest I don't use. I'll give mail a go at some point and see if it goes through

1 Like

You really want the certificate you just created to also include the www subdomain. You have a redirect in place, but the 302 should be a 301.


The other option is to do what I do and just remove the www entirely from operation. Deleting the A record for www.colonelboom.co.uk is the easiest start.

1 Like

The redirect will eventually show an error.

1 Like

the www. will have been used up to a few months ago which is probably why it's still in place. As you say, easiest way being delete the record I just did that, thanks again.

2 Likes

You're very welcome. :slightly_smiling_face:

1 Like

I read that, and not being familiar, thought...
Wouldn't that have included a simple option to obtain certs?

1 Like