Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: trosen.defman.no

I ran this command: /usr/bin/certbot -v renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/trosen.defman.no.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate for trosen.defman.no
Performing the following challenges:
http-01 challenge for trosen.defman.no
Waiting for verification...
Challenge failed for domain trosen.defman.no
http-01 challenge for trosen.defman.no

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: trosen.defman.no
Type: dns
Detail: DNS problem: looking up A for trosen.defman.no: DNSSEC: RRSIGs Missing; no valid AAAA records found for trosen.defman.no

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate trosen.defman.no with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/trosen.defman.no/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 22.04.4 LTS
Release: 22.04
Codename: jammy

My hosting provider, if applicable, is:
fastname.no

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.10.0

Hmm. Unboundtest agrees that it isn't getting the signatures, but DNSViz seems to see them. There's something odd going on but I don't know as I'll be able to help.

Can you share more about how your DNS is set up? Have you just recently enabled DNSSEC? It looks like you've been getting certs successfully for quite a while, has anything else changed in the last few months on your side? Let's Encrypt has added more validation perspectives recently, but I don't think that's related here.

It seems the IP is within the block 100.64.0.0/10
[SHARED-ADDRESS-SPACE-RFC6598-IANA-RESERVED]
Let's Debug (letsdebug.net)

Ah! That's almost definitely it. The Unbound config is stripping the private IP from the response, which is why the DNSSEC is broken. This is one of the times that the error message is very misleading.

You need a public IP in order to use HTTP-01 (and for the public to visit the site). If it's intended to be a private server, then you need to switch to DNS-01.

a.k.a.

CGNAT

Asking my ISP to move me to a loopback where I would receive a public dhcp solved the problem

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.