Error new certificate due to domain change to another server

I have changed a domain to another web server and it does not generate a new certificate for unknown reasons it is activated in another domain of the old server. I run the command /usr/local/bin/certbot-auto --apache , with the following error:

Domain: my-ebook.es
Type: connection
Detail: Fetching
https://camerweb.es.well-known/acme-challenge/wHFzCGqMpDYQ4tcpwoeFqb5M-V5e4fn7dFMMT6Kw0Qc:
Invalid host in redirect target “camerweb.es.well-known”. Check
webserver config for missing ‘/’ in redirect target.

I’ve been trying to fix it for two days. I have deleted all /etc/letsencrypt/live, /etc /letsencrypt/renewal folders from camerweb and generated a new certificate for camerweb but the error continues.

Any ideas please, as I intend to move 6 other domains in production to the new server.

Thank you.

Hi @chupi

read your error message. You have a redirect with a missing "/", so the created domain name is wrong.

There are checks of your domain - my-ebook.es - Make your website better - DNS, redirects, mixed content, certificates

Are these

Host T IP-Address is auth. ∑ Queries ∑ Timeout
my-ebook.es A 91.121.31.113 Roubaix/Hauts-de-France/France (FR) - OVH ISP Hostname: ns300398.ip-91-121-31.eu yes 1 0
AAAA 2001:41d0:1:7271::1 Bouxieres-aux-Dames/Grand Est/France (FR) - OVH SAS yes
www.my-ebook.es A 91.121.31.113 Roubaix/Hauts-de-France/France (FR) - OVH ISP Hostname: ns300398.ip-91-121-31.eu yes 1 0
AAAA 2001:41d0:1:7271::1 Bouxieres-aux-Dames/Grand Est/France (FR) - OVH SAS yes

your correct ip addresses?

There are redirects to https://camerweb.es, but the last redirect is wrong - Grade R:

https://camerweb.es.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

Thanks for your quick response

On the old server I only have this redirect in httpd.conf:
Redirect permanent / https://camerweb.es

This IP 91.121.31.113 is from the old server and I already changed the DNS two days ago I don’t understand why it keeps showing up.

On the new server I have this redirect in httpd.conf:
Redirect permanent / https://my-ebook.es

The IPs of the new server are:
Las IPs del nuevo servidor son:
91.121.80.173
2001:41d0:1:7271::1

I would appreciate if you could teach me how to solve the problem. Thank you

Your zone definition is wrong. Read the output of the check:

Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns.kimsufi.com (213.186.33.199): Delegation: ns.kimsufi.com,ns381524.ip-91-121-80.eu, Zone: ns.kimsufi.com,ns1.my-ebook.es,ns2.my-ebook.es,ns300398.ip-91-121-31.eu

Adding name servers is wrong if they are not delegated. So your old ip is visible.

Same with your redirect - there is no /.

I had unconfigured the DNS Bind server. I have fixed something but I don't know why the old ones keep appearing:

ns1.my-ebook.es
ns300398.ip-91-121-31.eu
ns2.my-ebook.es

Now I don't have them anywhere (I deleted them from the Domain Registrar three days ago). How can I find out who generates them?

The missing redirect “/” that you tell me refers to that it must be placed at the end of Redirect permanent / https://my-ebook.es, for example Redirect permanent / https://my-ebook.es/

Thank you for taking your time.

They're in the authoritative NS records on one or two of your DNS servers.

https://dnsviz.net/d/my-ebook.es/dnssec/

Your nameservers have different records in several ways.

There is a new check of your domain, ~~ one hour old - my-ebook.es - Make your website better - DNS, redirects, mixed content, certificates

Same problem:

Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns.kimsufi.com (213.186.33.199): Delegation: ns.kimsufi.com,ns381524.ip-91-121-80.eu, Zone: ns.kimsufi.com,ns1.my-ebook.es,ns2.my-ebook.es,ns300398.ip-91-121-31.eu

Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns.kimsufi.com (2001:41d0:3:1c7::1): Delegation: ns.kimsufi.com,ns381524.ip-91-121-80.eu, Zone: ns.kimsufi.com,ns1.my-ebook.es,ns2.my-ebook.es,ns300398.ip-91-121-31.eu

Your zone definition is wrong.

Your delegation:

my-ebook.es nameserver = ns.kimsufi.com
my-ebook.es nameserver = ns381524.ip-91-121-80.eu

Nothing else, remove these ns*.my-ebook.es ... entries.

This was my old configuration of /var/named/my-ebook.es.hosts:

$ttl 38400
@ IN SOA ns381524.ip-91-121-80.eu. root.ns381524.ip-91-121-80.eu. (
2016062193
10800
3600
604800
38400 )
@ IN NS ns381524.ip-91-121-80.eu.
@ IN NS ns.kimsufi.com.

I’ve left it like this:

$ttl 38400
@ IN SOA my-ebook.es. root.ns381524.ip-91-121-80.eu… (
2016062193
10800
3600
604800
38400 )

@ IN NS my-ebook.es.

But it keeps giving me errors, what am I doing wrong?

You use your own name server.

Use only the name servers of your dns provider.

Ok, in my DNS provider I had not deleted the secondary DNS of my-ebook.es. Yes now. Should I wait a while for it to update?

I use BIND to spread the DNS, on the old server I have not had any problem with these DNS:

@ IN NS ns300398.ip-91-121-31.eu.
@ IN NS ns.kimsufi.com.

Now on the new server I have left it like this:

$ ttl 38400
@ IN SOA ns381524.ip-91-121-80.eu. jesuscaceres.movistar.es. (
2016062193
10800
3600
604800
38400)

@ IN NS ns381524.ip-91-121-80.eu.
@ IN NS ns.kimsufi.com.
IN PTR my-ebook.es.
my-ebook.es. IN A 213.186.33.199
my-ebook.es. IN A 91.121.80.173
www.my-ebook.es. IN A 91.121.80.173
ftp.my-ebook.es. IN A 91.121.80.173
m.my-ebook.es. IN A 91.121.80.173
localhost.my-ebook.es. IN A 127.0.0.1
webmail.my-ebook.es. IN A 91.121.80.173
admin.my-ebook.es. IN A 91.121.80.173
mail.my-ebook.es. IN A 91.121.80.173
my-ebook.es. IN MX 5 mail.my-ebook.es.

It is right? Thank you for your patience

Hello again everyone,

Good news, finally I have managed to solve all the problems and I comment here what happened in case someone has the same incident and it is worth it to solve it.

Regarding DNS, ns1.my-ebook.es, ns300398.ip-91-121-31.eu and ns2.my-ebook.es

Despite the fact that in the control panel of my Domain Name Registrar Agent (Dondominio.com) I deleted them and wrote the new ns381524.ip-91-121-80.eu., ns.kimsufi.com. and they were accepted by the system, but due to some error in their system, they had no effect, so I had to open a ticket to the support informing of indecency. This morning they have corrected it manually and the DNS propagate normally.

Regarding the slash “/” in Redirect permanent / https://my-ebook.es in order to obtain the Let’s Encrypt certificate I had to comment the entire line: #Redirect permanent / https://my-ebook.es, to leave me issue the certificate. Once issued (I have done it through the command line and Virtualmin) I have put that line back and the test site works perfectly with HTTP2 and HTTPS.

Thank you all very much for your contributions,