Error renewing certificates

Polenghi · July 25, 2019, 10:29am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: empo-tech.it, epolenghi.it, forma.epolenghi.it, black-out-caffe.it

I ran this command: sudo /usr/local/bin/certbot-auto renew

It produced this output: Same output to all domains

Processing /etc/letsencrypt/renewal/empo-tech.it.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for empo-tech.it
Waiting for verification…
Challenge failed for domain empo-tech.it
http-01 challenge for empo-tech.it
Cleaning up challenges
Attempting to renew cert (empo-tech.it) from /etc/letsencrypt/renewal/empo-tech.it.conf produced an unexpected error: Some challenges have failed… Skipping.

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Linux Mint 19.1

My hosting provider, if applicable, is: server in house

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.36.0

The domains are configured as virtual hosts in apache.
The sites are accessible and use let’s encript certificates installed with certbot-auto.

DNS is configured with a type A record for all domains.
The firewall routes ports 80 and 443 to the server.
The server can reach the internet.

JuergenAuer · July 25, 2019, 10:34am

Hi @Polenghi

the detailed error message is required.

Oh, what's that? Checking your domain the error is visible - https://check-your-website.server-daten.de/?q=empo-tech.it

Your ip addresses:

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
empo-tech.it	A		yes	1	0
	AAAA		yes
www.empo-tech.it	A	79.19.220.212 Rome/Latium/Italy (IT) - INTERBUSINESS Hostname: host212-220-dynamic.19-79-r.retail.telecomitalia.it	yes	1	0
	AAAA		yes

You don't have an A record with empo-tech.it as domain name.

So you can't create a certificate with that domain name via http-01 validation.

Change your DNS setup - add the same ip address your www-version has -> to your non-www version.

Then recheck your domain, both rows should have an ip address.

Perhaps check your other domains with the same online tool to see, if there is the same error.

Polenghi · July 25, 2019, 11:24am

With the DNS correction the procedure worked.
It is a configuration that I cannot keep in production, I keep a note for the next renewal.

thanks a lot

Phil · July 26, 2019, 2:40pm

Hi @Polenghi,

Please reconsider this as it sounds like a manual process and can leave your site(s) with an expired certificate should you forget the note during the next renewal period. Keep in mind that the certificates are only valid for 90 days.

system · August 25, 2019, 2:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.