DNS resolvers in letsencrypt return incorrect result

My domain is: assets.sil.ph

I ran this command: certbot-auto renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/assets.sil.ph.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for assets.sil.ph
Waiting for verification...
Challenge failed for domain assets.sil.ph
http-01 challenge for assets.sil.ph
Cleaning up challenges
Attempting to renew cert (assets.sil.ph) from /etc/letsencrypt/renewal/assets.sil.ph.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gear.sil.ph.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gear.silph.gg.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gear.thesilphroad.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/league-assets.sil.ph.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sil.ph.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/thesilphroad.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.silphleague.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for silphleague.com
http-01 challenge for www.silphleague.com
Waiting for verification...
Challenge failed for domain silphleague.com
Challenge failed for domain www.silphleague.com
http-01 challenge for silphleague.com
http-01 challenge for www.silphleague.com
Cleaning up challenges
Attempting to renew cert (www.silphleague.com) from /etc/letsencrypt/renewal/www.silphleague.com.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.thesilphroad.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/assets.sil.ph/fullchain.pem (failure)
  /etc/letsencrypt/live/www.silphleague.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/gear.sil.ph/fullchain.pem expires on 2019-08-17 (skipped)
  /etc/letsencrypt/live/gear.silph.gg/fullchain.pem expires on 2019-08-17 (skipped)
  /etc/letsencrypt/live/gear.thesilphroad.com/fullchain.pem expires on 2019-08-17 (skipped)
  /etc/letsencrypt/live/league-assets.sil.ph/fullchain.pem expires on 2019-09-29 (skipped)
  /etc/letsencrypt/live/sil.ph/fullchain.pem expires on 2019-09-29 (skipped)
  /etc/letsencrypt/live/thesilphroad.com/fullchain.pem expires on 2019-08-17 (skipped)
  /etc/letsencrypt/live/www.thesilphroad.com/fullchain.pem expires on 2019-08-17 (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/assets.sil.ph/fullchain.pem (failure)
  /etc/letsencrypt/live/www.silphleague.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: assets.sil.ph
   Type:   unauthorized
   Detail: Invalid response from
   https://assets.sil.ph/.well-known/acme-challenge/3zqyJrx1NtuKCeXt6i45C7hnEbSO2BmP02FewX0tXYk/
   [104.196.197.94]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: silphleague.com
   Type:   unauthorized
   Detail: Invalid response from
   https://silphleague.com/.well-known/acme-challenge/Z2j15UDjgoM3Nj_Gm6W2uVxkK1JAaQSecoge5zlmofU
   [35.237.53.78]: 404

   Domain: www.silphleague.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.silphleague.com/.well-known/acme-challenge/w5q5dakLIXTGdYbianvMwPgIP5nyG_oK9PIA5eY03QE
   [35.237.53.78]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): haproxy 1.6.14 & nginx 1.4.6

The operating system my web server runs on is (include version): Ubuntu 14.04

My hosting provider, if applicable, is: Google Compute Platform

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.35.1

The DNS in letsencrypt resolvers is wrong. I’m not sure how to correct this.

$ dig +short @8.8.8.8 assets.sil.ph
104.196.197.94
$ dig +short @1.1.1.1 assets.sil.ph
104.196.197.94
$ dig +short @dns1.p07.nsone.net assets.sil.ph
104.196.197.94

However, it’s attempting to use 35.237.53.78 which is not in any of our Google accounts.

Hi @marcoceppi,

The host that Let’s Encrypt is trying to connect to here is silphleague.com (and www.silphleague.com), which does have the IP address in question. I think this connection was made as part of an attempt to renew a larger certificate covering several different domain names, which may be the source of the confusion.

Hi @marcoceppi

that domain

has already a new certificate ( https://check-your-website.server-daten.de/?q=silphleague.com ):

CN=silphleague.com
	30.06.2019
	28.09.2019
expires in 88 days	
silphleague.com, www.silphleague.com - 2 entries

So there is no need to renew that certificate.

Did you copy all configuration files from one to another server?

Then you must delete that - not longer used - certificate.

certbot certificates

to see the name, then

certbot delete [certificatename]

to delete.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.