DNS Error to renew certificate

IT-META · October 11, 2024, 7:45am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: support.metavonics.com

I ran this command: certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/support.metavonics.com.conf

Simulating renewal of an existing certificate for support.metavonics.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: support.metavonics.com
Type: dns
Detail: DNS problem: server failure at resolver looking up A for support.metavonics.com; no valid AAAA records found for support.metavonics.com

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Failed to renew certificate support.metavonics.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/support.metavonics.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Ubuntu 22.04.5 LTS

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.21.0

linkp · October 11, 2024, 11:57am

Welcome to the Let's Encrypt Community.

You need to make your server accessible via HTTP on port 80.

IT-META · October 11, 2024, 12:56pm

Hi,

Thanks for your return.

My web server is accessible on 8080 and 443.

If it runs on port 80, I have an error:

Failed to renew certificate support.metavonics.com with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/support.metavonics.com/fullchain.pem (failure)

If I want to renew it, I have to stop nginx, launch certbot and restart nginx. For automation, it is not very well.

I test a few minutes ago (with port 8080 and 443) and it has worked:
certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/support.metavonics.com.conf

Simulating renewal of an existing certificate for support.metavonics.com

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/support.metavonics.com/fullchain.pem (success)

rg305 · October 11, 2024, 2:24pm

Let's see what might be using port 80.
Show the output of:
ss -plnt | grep 80

Osiris · October 11, 2024, 2:28pm

Most likely

Bruce5051 · October 11, 2024, 9:39pm

Hi @IT-META,

As others have mentioned Port 80 is not accessible.

Using nmap I see Port 80 is closed.

$ nmap -Pn -p80,443 support.metavonics.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-10-11 21:37 UTC
Nmap scan report for support.metavonics.com (135.125.206.250)
Host is up (0.16s latency).
rDNS record for 135.125.206.250: vps-3e7e8fa9.vps.ovh.net

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds

Edit

And as @linkp demonstrated DNS seems fine;
however here is supplemental information that shows it is looking ok.

$ nslookup -q=any support.metavonics.com ns1085.ui-dns.biz.
Server:         ns1085.ui-dns.biz.
Address:        217.160.81.85#53

Name:   support.metavonics.com
Address: 135.125.206.250
support.metavonics.com  rdata_257 = 0 issue "letsencrypt.org"

$ nslookup -q=any support.metavonics.com ns1083.ui-dns.com.
Server:         ns1083.ui-dns.com.
Address:        217.160.82.83#53

Name:   support.metavonics.com
Address: 135.125.206.250
support.metavonics.com  rdata_257 = 0 issue "letsencrypt.org"

$ nslookup -q=any support.metavonics.com ns1075.ui-dns.org.
Server:         ns1075.ui-dns.org.
Address:        217.160.83.75#53

Name:   support.metavonics.com
Address: 135.125.206.250
support.metavonics.com  rdata_257 = 0 issue "letsencrypt.org"

$ nslookup -q=any support.metavonics.com ns1068.ui-dns.de.
Server:         ns1068.ui-dns.de.
Address:        217.160.80.68#53

Name:   support.metavonics.com
Address: 135.125.206.250
support.metavonics.com  rdata_257 = 0 issue "letsencrypt.org"

system · November 10, 2024, 9:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cert Renewal Fails Help	6	2767	November 29, 2021
Certificate renewal issues Help	4	1049	December 15, 2022
Error - renew SSL certificate whith certbot Help	31	810	March 2, 2024
Certbot cannot renew Help	27	691	September 20, 2023
Certbot failed to renew my cert Help	2	531	February 19, 2023

DNS Error to renew certificate

Related topics