Error new certificate due to domain change to another server

I have changed a domain to another web server and it does not generate a new certificate for unknown reasons it is activated in another domain of the old server. I run the command /usr/local/bin/certbot-auto --apache , with the following error:

Domain: my-ebook.es
Type: connection
Detail: Fetching
https://camerweb.es.well-known/acme-challenge/wHFzCGqMpDYQ4tcpwoeFqb5M-V5e4fn7dFMMT6Kw0Qc:
Invalid host in redirect target “camerweb.es.well-known”. Check
webserver config for missing ‘/’ in redirect target.

I’ve been trying to fix it for two days. I have deleted all /etc/letsencrypt/live, /etc /letsencrypt/renewal folders from camerweb and generated a new certificate for camerweb but the error continues.

Any ideas please, as I intend to move 6 other domains in production to the new server.

Thank you.

1 Like

Hi @chupi

read your error message. You have a redirect with a missing “/”, so the created domain name is wrong.

There are checks of your domain - https://check-your-website.server-daten.de/?q=my-ebook.es

Are these

Host T IP-Address is auth. ∑ Queries ∑ Timeout
my-ebook.es A 91.121.31.113 Roubaix/Hauts-de-France/France (FR) - OVH ISP Hostname: ns300398.ip-91-121-31.eu yes 1 0
AAAA 2001:41d0:1:7271::1 Bouxieres-aux-Dames/Grand Est/France (FR) - OVH SAS yes
www.my-ebook.es A 91.121.31.113 Roubaix/Hauts-de-France/France (FR) - OVH ISP Hostname: ns300398.ip-91-121-31.eu yes 1 0
AAAA 2001:41d0:1:7271::1 Bouxieres-aux-Dames/Grand Est/France (FR) - OVH SAS yes

your correct ip addresses?

There are redirects to https://camerweb.es, but the last redirect is wrong - Grade R:

https://camerweb.es.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
1 Like

Thanks for your quick response

On the old server I only have this redirect in httpd.conf:
Redirect permanent / https://camerweb.es

This IP 91.121.31.113 is from the old server and I already changed the DNS two days ago I don’t understand why it keeps showing up.

On the new server I have this redirect in httpd.conf:
Redirect permanent / https://my-ebook.es

The IPs of the new server are:
Las IPs del nuevo servidor son:
91.121.80.173
2001:41d0:1:7271::1

I would appreciate if you could teach me how to solve the problem. Thank you

1 Like

Your zone definition is wrong. Read the output of the check:

Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns.kimsufi.com (213.186.33.199): Delegation: ns.kimsufi.com,ns381524.ip-91-121-80.eu, Zone: ns.kimsufi.com,ns1.my-ebook.es,ns2.my-ebook.es,ns300398.ip-91-121-31.eu

Adding name servers is wrong if they are not delegated. So your old ip is visible.

Same with your redirect - there is no /.

I had unconfigured the DNS Bind server. I have fixed something but I don’t know why the old ones keep appearing:

ns1.my-ebook.es
ns300398.ip-91-121-31.eu
ns2.my-ebook.es

Now I don’t have them anywhere (I deleted them from the Domain Registrar three days ago). How can I find out who generates them?

The missing redirect “/” that you tell me refers to that it must be placed at the end of Redirect permanent / https://my-ebook.es, for example Redirect permanent / https://my-ebook.es/

Thank you for taking your time.

They’re in the authoritative NS records on one or two of your DNS servers.

https://dnsviz.net/d/my-ebook.es/dnssec/

Your nameservers have different records in several ways.

There is a new check of your domain, ~~ one hour old - https://check-your-website.server-daten.de/?q=my-ebook.es

Same problem:

Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns.kimsufi.com (213.186.33.199): Delegation: ns.kimsufi.com,ns381524.ip-91-121-80.eu, Zone: ns.kimsufi.com,ns1.my-ebook.es,ns2.my-ebook.es,ns300398.ip-91-121-31.eu

Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns.kimsufi.com (2001:41d0:3:1c7::1): Delegation: ns.kimsufi.com,ns381524.ip-91-121-80.eu, Zone: ns.kimsufi.com,ns1.my-ebook.es,ns2.my-ebook.es,ns300398.ip-91-121-31.eu

Your zone definition is wrong.

Your delegation:

my-ebook.es nameserver = ns.kimsufi.com
my-ebook.es nameserver = ns381524.ip-91-121-80.eu

Nothing else, remove these ns*.my-ebook.es … entries.

This was my old configuration of /var/named/my-ebook.es.hosts:

$ttl 38400
@ IN SOA ns381524.ip-91-121-80.eu. root.ns381524.ip-91-121-80.eu. (
2016062193
10800
3600
604800
38400 )
@ IN NS ns381524.ip-91-121-80.eu.
@ IN NS ns.kimsufi.com.

I’ve left it like this:

$ttl 38400
@ IN SOA my-ebook.es. root.ns381524.ip-91-121-80.eu… (
2016062193
10800
3600
604800
38400 )

@ IN NS my-ebook.es.

But it keeps giving me errors, what am I doing wrong?

You use your own name server.

Use only the name servers of your dns provider.

Ok, in my DNS provider I had not deleted the secondary DNS of my-ebook.es. Yes now. Should I wait a while for it to update?

I use BIND to spread the DNS, on the old server I have not had any problem with these DNS:

@ IN NS ns300398.ip-91-121-31.eu.
@ IN NS ns.kimsufi.com.

Now on the new server I have left it like this:

$ ttl 38400
@ IN SOA ns381524.ip-91-121-80.eu. jesuscaceres.movistar.es. (
2016062193
10800
3600
604800
38400)

@ IN NS ns381524.ip-91-121-80.eu.
@ IN NS ns.kimsufi.com.
IN PTR my-ebook.es.
my-ebook.es. IN A 213.186.33.199
my-ebook.es. IN A 91.121.80.173
www.my-ebook.es. IN A 91.121.80.173
ftp.my-ebook.es. IN A 91.121.80.173
m.my-ebook.es. IN A 91.121.80.173
localhost.my-ebook.es. IN A 127.0.0.1
webmail.my-ebook.es. IN A 91.121.80.173
admin.my-ebook.es. IN A 91.121.80.173
mail.my-ebook.es. IN A 91.121.80.173
my-ebook.es. IN MX 5 mail.my-ebook.es.

It is right? Thank you for your patience

Hello again everyone,

Good news, finally I have managed to solve all the problems and I comment here what happened in case someone has the same incident and it is worth it to solve it.

Regarding DNS, ns1.my-ebook.es, ns300398.ip-91-121-31.eu and ns2.my-ebook.es

Despite the fact that in the control panel of my Domain Name Registrar Agent (Dondominio.com) I deleted them and wrote the new ns381524.ip-91-121-80.eu., ns.kimsufi.com. and they were accepted by the system, but due to some error in their system, they had no effect, so I had to open a ticket to the support informing of indecency. This morning they have corrected it manually and the DNS propagate normally.

Regarding the slash “/” in Redirect permanent / https://my-ebook.es in order to obtain the Let’s Encrypt certificate I had to comment the entire line: #Redirect permanent / https://my-ebook.es, to leave me issue the certificate. Once issued (I have done it through the command line and Virtualmin) I have put that line back and the test site works perfectly with HTTP2 and HTTPS.

Thank you all very much for your contributions,

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.