Detail: DNS problem: NXDOMAIN looking up A

Help
1

I tried to renew my certificate today using:
sudo certbot --nginx -d attend-classe.com -d www.attend-class.com
www went fine but got an error for attend-class.com
It used to work before I tried to renew. Not I get a warning message when I try to access.
since it worked before fine, I assume I have the A record setup but something went wrong when I tried to renew the certificate today. Please help.

My domain is: attend-class.com

I ran this command: sudo certbot --nginx -d attend-classe.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for attend-classe.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. attend-classe.com (http-01): urn:acme:error:dns :: DNS problem: NXDOMAIN looking up A for attend-classe.com

IMPORTANT NOTES:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
linode.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

2

Hi @jasemq

your domain has two dns-records - ipv4 and ipv6. But they produce different outputs.

Perhaps your provider added a ipv6 address and you have no configuration.

Do you have something like

listen [::]:80

in your config?

5

There was a typo in the domain name :man_facepalming:t2:
Thanks for your help :pray:t2::rose:

1 Like
6

Yep, I see - own selective perception :wink: class versus classe.

7

Did you once already got a certificate for those hostnames? Because the most easy way to do renewal is just to run certbot renew.

8

I’m really new at this. Thanks, I will put that next time :pray:t2:

9

I’m using ubuntu 16.04. Do you know if I can setup auto-renewal on this system please? I tried and read several tutorials but couldn’t :man_shrugging:t2:

10

Sure? You have created these certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:attend-class.com&lu=cert_search

2018-06-12
2018-06-23
2018-08-22

with two names. Did you create the last manual? The automatic renew starts, when the certificate is 60 days old. So the certificate created 2018-08-22 is not old enough to renew, so Certbot renew wouldn't do something.

11

It used to email me a warning to renew the certificate and I connect and do it manually, I guess. I followed the instructions in this page:

But when I tried sudo certbot renew --dry-run to test if everything is setup well to automatically renew, but I get the following errors:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/attend-class.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for attend-class.com
http-01 challenge for www.attend-class.com
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/attend-class.com/fullchain.pem

Processing /etc/letsencrypt/renewal/www.attend-class.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (www.attend-class.com) from /etc/letsencrypt/renewal/www.attend-class.com.conf produced an unexpected error: Deserialization error: Could not decode ‘status’ (‘ready’): Deserialization error: Status not recognized. Skipping.

Processing /etc/letsencrypt/renewal/attend-class.com-0001.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (attend-class.com-0001) from /etc/letsencrypt/renewal/attend-class.com-0001.conf produced an unexpected error: Deserialization error: Could not decode ‘status’ (‘ready’): Deserialization error: Status not recognized. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/www.attend-class.com/fullchain.pem (failure)
/etc/letsencrypt/live/attend-class.com-0001/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/attend-class.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/www.attend-class.com/fullchain.pem (failure)
/etc/letsencrypt/live/attend-class.com-0001/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

2 renew failure(s), 0 parse failure(s)
jasem@localhost:~$

12

Your Certbot is too old. The "ready" state is new, so update your Certbot.

PS: Look there

Productive - 2018-07-05

13

I updated certbot and ran sudo certbot renew --dry-run and got the following, does this mean I’m all set? will it renew automatically from now on? :slightly_smiling_face:

Processing /etc/letsencrypt/renewal/attend-class.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for attend-class.com
http-01 challenge for www.attend-class.com
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/attend-class.com/fullchain.pem

Processing /etc/letsencrypt/renewal/www.attend-class.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.attend-class.com
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/www.attend-class.com/fullchain.pem

Processing /etc/letsencrypt/renewal/attend-class.com-0001.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for attend-class.com
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/attend-class.com-0001/fullchain.pem

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/attend-class.com/fullchain.pem (success)
/etc/letsencrypt/live/www.attend-class.com/fullchain.pem (success)
/etc/letsencrypt/live/attend-class.com-0001/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

14

Now all looks good.

But you can use

certbot delete --cert-name ...

because you have three certificates: One with www + non-www, one only with www, one only with non-www. You don't need the second and the third certificate.

Use

Certbot certificates

to see the names used with delete. Then the certificates are removed and not renewed.

And you should use the certificate with two names.

https://www.attend-class.com/

is invalid - SSL_ERROR_BAD_CERT_DOMAIN, the certificate has only attend-class.com as name.

15

There's no reason to keep the second and third certificate. You can just use the first (/etc/letsencrypt/live/attend-class.com/fullchain.pem) because it covers the bare domain name, as wel as the www subdomain.

I'm actually quite interested in how your nginx configuration looks with these overlapping certificates :sweat:

16

I deleted the second and third certificate. But it broke it for www.attend-class.com. when I type www.attend-class.com the browser gives me a warning. also renew gives me error now. any suggestion please? :pray:t2:

sudo certbot certificates:
Found the following certs:
Certificate Name: attend-class.com
Domains: attend-class.com www.attend-class.com
Expiry Date: 2018-11-20 11:24:42+00:00 (VALID: 72 days)
Certificate Path: /etc/letsencrypt/live/attend-class.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/attend-class.com/privkey.pem

sudo certbot renew --dry-run:

Processing /etc/letsencrypt/renewal/attend-class.com.conf

Cert not due for renewal, but simulating renewal for dry run
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/attend-class.com-0001/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/attend-class.com-0001/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/attend-class.com-0001/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/attend-class.com-0001/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’,)
Attempting to renew cert (attend-class.com) from /etc/letsencrypt/renewal/attend-class.com.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/attend-class.com-0001/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/attend-class.com-0001/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/attend-class.com/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/attend-class.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

17

I deleted them and ran into trouble detailed in the previous reply. this is my first project ever and I’m not so sure what I’m doing :sweat:
help is very appreciated :pray:t2:

18

Your nginx probably used those (not really necessary) certificates for some reason. I guess the certbot delete command didn't "know" this (although the installation phase did use the nginx installer) and left the references to the deleted files intact.

You should check your nginx configuration file manually for references to the deleted certificates.

20

Please tell me if you need me to post the settings.

thank you for the advice. I changed the certificate name in /etc/nginx/sites-available/attend-class by removing -0001 from the name. The site is back online now and certbot renew --dry-run gives me this:
Processing /etc/letsencrypt/renewal/attend-class.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for attend-class.com
http-01 challenge for www.attend-class.com
Waiting for verification...
Cleaning up challenges

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/attend-class.com/fullchain.pem

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/attend-class.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

Am I all set? :slightly_smiling_face:

1 Like
21

Seems to me you are.

Have you checked you've got a systemd timer or cronjob for the certbot renew installed?

22

Do I setup the timer manually or should certbot set it up?

23

@JuergenAuer I am having this same problem with my domain osframework.org

I do get this message:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for osframework.org
http-01 challenge for www.osframework.org
nginx: [warn] conflicting server name "osframework.org" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.osframework.org" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "osframework.org" on [::]:80, ignored
nginx: [warn] conflicting server name "www.osframework.org" on [::]:80, ignored