My domain is: wageindicator.org
I ran this command:
certbot certonly --webroot -w /var/www/acme-challenge/ --cert-name wageindicator.org -d wageindicator.org -d euroccupations.org -d wageindex.eu -d workindicators.com -d www.euroccupations.org -d www.wageindex.eu -d www.wageindicator.org -d www.workindicators.com
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/wageindicator.org.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for euroccupations.org
http-01 challenge for wageindex.eu
http-01 challenge for wageindicator.org
http-01 challenge for workindicators.com
http-01 challenge for www.euroccupations.org
http-01 challenge for www.wageindex.eu
http-01 challenge for www.wageindicator.org
http-01 challenge for www.workindicators.com
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. wageindicator.org (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for wageindicator.org - the domain's nameservers may be malfunctioning, www.wageindicator.org (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for wageindicator.org - the domain's nameservers may be malfunctioning
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: wageindicator.org
Type: None
Detail: DNS problem: SERVFAIL looking up CAA for wageindicator.org
- the domain's nameservers may be malfunctioning
Domain: www.wageindicator.org
Type: None
Detail: DNS problem: SERVFAIL looking up CAA for wageindicator.org
- the domain's nameservers may be malfunctioning
root@ciney:/etc/letsencrypt/renewal# certbot certonly --webroot -w /var/www/acme-challenge/ --cert-name wageindicator.org -d wageindicator.org -d euroccupations.org -d wageindex.eu -d workindicators.com -d www.euroccupations.org -d www.wageindex.eu -d www.workindicators.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate wageindicator.org to include new domain(s):
(None)
You are also removing previously included domain(s):
- www.wageindicator.org
Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wageindicator.org
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running deploy-hook command: systemctl reload nginx
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/wageindicator.org.conf/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/wageindicator.org.conf/privkey.pem
Your cert will expire on 2021-12-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
My web server is (include version): nginx/1.14.2
The operating system my web server runs on is (include version): Debian GNU/Linux 10 (buster)
My hosting provider, if applicable, is: VPS uses linode.com (hostname ciney.wageindicator.org
), DNS is managed at openprovider.eu
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): n/a
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 0.31.0
When I run the certbot command without www.wageindicator.org
the certificates get renewed:
certbot certonly --webroot -w /var/www/acme-challenge/ --cert-name wageindicator.org -d wageindicator.org -d euroccupations.org -d wageindex.eu -d workindicators.com -d www.euroccupations.org -d www.wageindex.eu -d www.workindicators.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate wageindicator.org to include new domain(s):
(None)
You are also removing previously included domain(s):
- www.wageindicator.org
Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wageindicator.org
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running deploy-hook command: systemctl reload nginx
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/wageindicator.org.conf/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/wageindicator.org.conf/privkey.pem
Your cert will expire on 2021-12-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
I did try to search for this problem related to DNS CAA and have read this doc Certificate Authority Authorization (CAA) - Let's Encrypt. We don't have CAA enable for wageindicator.org
. I tried debugging this error using several site which analyze DNS records, and run several dig command but could not find what exactly is wrong.
Several sites I've use to find out what is wrong:
https://unboundtest.com/m/CAA/wageindicator.org/ZU7U2L2K
https://dnssec-debugger.verisignlabs.com/www.wageindicator.org
https://dnsviz.net/d/wageindicator.org/dnssec/