Error renew certificates

devrhapp · April 30, 2025, 1:20pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Mardonis

I ran this command: sudo certbot certonly --force-renewal -d dev-api.empreender55.com

It produced this output: How would you like to authenticate with the ACME CA?

1: Nginx Web Server plugin (nginx)

2: Runs an HTTP server locally which serves the necessary validation files under

the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP

server already running. HTTP challenge only (wildcards not supported).

(standalone)

3: Saves the necessary validation files to a .well-known/acme-challenge/

directory within the nominated webroot path. A separate HTTP server must be

running and serving files from the webroot path. HTTP challenge only (wildcards

not supported). (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1

Renewing an existing certificate for dev-api.empreender55.com

An unexpected error occurred:

Error finalizing order :: rechecking caa: During secondary validation: While processing CAA for dev-api.empreender55.com: DNS problem: SERVFAIL looking up CAA for dev-api.empreender55.com - the domain's nameservers may be malfunctioning

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

root@vmi2322898:/etc/nginx#

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
ubuntu 22

My hosting provider, if applicable, is:
dev-api.empreender55.com

I can login to a root shell on my machine (yes or no, or I don't know):
yes , only me

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 4.0.0

MikeMcQ · April 30, 2025, 1:30pm

Your DNS Server configuration has problems.

See: dev-api.empreender55.com | DNSViz

The test site https://unboundtest.com queries DNS similar to how Let's Encrypt does it

It gets SERVFAIL trying to query your DNS: https://unboundtest.com/m/A/dev-api.empreender55.com/VXKYNYKW

That error results from a REFUSED which is the same issue DNSViz describes in more details

Apr 30 13:27:09 unbound[22297:0] error: SERVFAIL <dev-api.empreender55.com. A IN>: all servers for this domain failed, at zone empreender55.com. from 108.167.132.33 got REFUSED

Osiris · April 30, 2025, 1:34pm

You have a perfectly fine and working certificate already, why are you trying to forcibly renew this certificate?

Please note that for testing purposes it's better to use --dry-run which a) uses the staging environment and b) makes Certbot always request a new authorization from the ACME server instead of using a valid cached one.

devrhapp · April 30, 2025, 2:43pm

Thank you very much for helpe me with this error.

devrhapp · April 30, 2025, 2:44pm

Thank you very much for helpe me this error

devrhapp · April 30, 2025, 2:45pm

Solution check the dns server

Topic		Replies	Views
Certificate renew Help	6	534	May 12, 2023
Failure to renew - or certonly Help	4	1277	January 13, 2019
Certificate renewal is failing with DNS Challenge Help	20	2097	March 17, 2022
Unable to renew cert Help	1	599	January 1, 2021
Cannot renew certificate Help	16	1167	May 15, 2021

Error renew certificates

Related topics