I’m running automatic renewal for SSL using LetsEncrypt on a server that has about 26 sites on it. Things have been running very smoothly, but I’m just now seeing a new error that hasn’t come up before on a domain that has been fine for the past few months:
Here is a snippet from the error log:
Detail: DNS problem: networking error looking up CAA for com
2018-10-26 01:01:33,317:INFO:certbot.auth_handler:Cleaning up challenges
2018-10-26 01:01:34,324:INFO:certbot.hooks:Running post-hook command: systemctl start apache2
2018-10-26 01:01:35,554:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.21.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1240, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 994, in run
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 113, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 297, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 318, in obtain_certificate
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 81, in get_authorizations
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 138, in _respond
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 202, in _poll_challenges
certbot.errors.FailedChallenges: Failed authorization procedure. www.artisanbakeryexpo.com (tls-sni-01): urn:acme:error:dns :: DNS problem: networking error looking up CAA for com
I’ve verified that the DNS settings for this domain are set up the same as others on the site on the server.
Hi @JuergenAuer - that’s odd, we have auto-updates on and it seems that 0.21.1 is the latest Ubuntu is pulling that version from the repo.
As for tls-sni-01, I believe we changed to http-01 validation, so I’m not sure why it’s still trying to use tls-sni-01. Could this be because the original certs were requested using tls-sni-01 so it’s continuing to use that validation?