Error renewing certs with certbot renew --dry-run -v

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: allenintech.com

I ran this command: certbot renew --dryrun -v

It produced this output:

My web server is (include version): Apache/2.4.48 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Self-Hosting. I have full access to everything

I can login to a root shell on my machine (yes or no, or I don't know):YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No Control panel. Using command line

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.23.0

One previous and first attempt went very well not problem. Except for the automatic renewal did not work. Therefore my certs expired and I attempted this command: certbot renew --dry-run -v. I have run certbot renew --dry-run -v with systemctl stop apache2 and systemctl restart/start. The following errors are generated.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/actngop.org-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Failed to renew certificate actngop.org-0001 with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f0b41fa26d0>: Failed to establish a new connection: [Errno -2] Name or service not known'))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/actngop.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/actngop.org.conf is broken.
The error was: expected /etc/letsencrypt/live/actngop.org/cert.pem to be a symlink
Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/allenintech.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Failed to renew certificate allenintech.com-0001 with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f0b41ff87c0>: Failed to establish a new connection: [Errno -2] Name or service not known'))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/allenintech.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/allenintech.com.conf is broken.
The error was: expected /etc/letsencrypt/live/allenintech.com/cert.pem to be a symlink
Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gitlabrunner.allenintech.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Failed to renew certificate gitlabrunner.allenintech.com-0001 with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f0b3f91b6a0>: Failed to establish a new connection: [Errno -2] Name or service not known'))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gitlabrunner.allenintech.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/gitlabrunner.allenintech.com.conf is broken.
The error was: expected /etc/letsencrypt/live/gitlabrunner.allenintech.com/cert.pem to be a symlink
Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gitlabserver.allenintech.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Failed to renew certificate gitlabserver.allenintech.com-0001 with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f0b3f8eea30>: Failed to establish a new connection: [Errno -2] Name or service not known'))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gitlabserver.allenintech.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/gitlabserver.allenintech.com.conf is broken.
The error was: expected /etc/letsencrypt/live/gitlabserver.allenintech.com/cert.pem to be a symlink
Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/hishandstn.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/hishandstn.org.conf is broken.
The error was: expected /etc/letsencrypt/live/hishandstn.org/cert.pem to be a symlink
Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/kibana.allenintech.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Failed to renew certificate kibana.allenintech.com with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f0b3f7e1ca0>: Failed to establish a new connection: [Errno -2] Name or service not known'))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.allenintech.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Failed to renew certificate nextcloud.allenintech.com-0001 with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f0b3f8a6d60>: Failed to establish a new connection: [Errno -2] Name or service not known'))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.allenintech.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/nextcloud.allenintech.com.conf is broken.
The error was: expected /etc/letsencrypt/live/nextcloud.allenintech.com/cert.pem to be a symlink
Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.actngop.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/www.actngop.org.conf is broken.
The error was: expected /etc/letsencrypt/live/www.actngop.org/cert.pem to be a symlink
Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.elasticsearch.allenintech.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Failed to renew certificate www.elasticsearch.allenintech.com with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f0b3f8a61c0>: Failed to establish a new connection: [Errno -2] Name or service not known'))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.kibana.allenintech.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Failed to renew certificate www.kibana.allenintech.com with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f0b3f7cde50>: Failed to establish a new connection: [Errno -2] Name or service not known'))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/actngop.org-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/allenintech.com-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/gitlabrunner.allenintech.com-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/gitlabserver.allenintech.com-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/kibana.allenintech.com/fullchain.pem (failure)
  /etc/letsencrypt/live/nextcloud.allenintech.com-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/www.elasticsearch.allenintech.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.kibana.allenintech.com/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/actngop.org.conf (parsefail)
  /etc/letsencrypt/renewal/allenintech.com.conf (parsefail)
  /etc/letsencrypt/renewal/gitlabrunner.allenintech.com.conf (parsefail)
  /etc/letsencrypt/renewal/gitlabserver.allenintech.com.conf (parsefail)
  /etc/letsencrypt/renewal/hishandstn.org.conf (parsefail)
  /etc/letsencrypt/renewal/nextcloud.allenintech.com.conf (parsefail)
  /etc/letsencrypt/renewal/www.actngop.org.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
8 renew failure(s), 7 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Welcome to the community @Anthon

Well, there looks to be several things wrong. Let's start by ensuring your DNS is working right. The error you have below is often a comms problem

[Errno -2] Name or service not known

Can you show result of these:

host acme-v02.api.letsencrypt.org
host acme-staging-v02.api.letsencrypt.org
host google.com
1 Like

Thank! I appreciate you looking at this.
The results are:

# host acme-v02.api.letsencrypt.org
acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2c
# host acme-staging-v02.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org is an alias for staging.api.letsencrypt.org.
staging.api.letsencrypt.org is an alias for 56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com.
56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com has address 172.65.46.172
56a5f4b0bc8146689ec3e272c43525f9.pacloudflare.com has IPv6 address 2606:4700:60:0:f41b:d4fe:4325:6026
# host google.com
google.com has address 64.233.185.102
google.com has address 64.233.185.100
google.com has address 64.233.185.138
google.com has address 64.233.185.139
google.com has address 64.233.185.101
google.com has address 64.233.185.113
google.com has IPv6 address 2607:f8b0:4002:c09::66
google.com has IPv6 address 2607:f8b0:4002:c09::71
google.com has IPv6 address 2607:f8b0:4002:c09::8b
google.com has IPv6 address 2607:f8b0:4002:c09::65
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.

Can you explain a little more about the background. You have a very long Let's Encrypt cert history for actngop.org (I did not check others). Yet, you only mention two prior attempts which both went well.

I am wondering if you had much older versions of certbot and perhaps more recently upgraded to the snap version.

Also, can you show result of this:

 curl -I https://acme-v02.api.letsencrypt.org
2 Likes
# curl -I https://acme-v02.api.letsencrypt.org
HTTP/2 200 
server: nginx
date: Mon, 21 Feb 2022 03:29:26 GMT
content-type: text/html
content-length: 1651
last-modified: Wed, 05 Jan 2022 17:50:55 GMT
etag: "61d5da7f-673"
x-frame-options: DENY
strict-transport-security: max-age=604800

Do you want all of these certs to work or are you just concerned with allenintech.com?

Also, is there any more history with certbot you can describe? Nevermind, I see your past posts here which cover this

2 Likes

The previous curl response indicate server: nginx
My server is apache2

Trying: certbot --apache

certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: actngop.org
2: www.actngop.org
3: allenintech.com
4: gitlabrunner.allenintech.com
5: www.gitlabrunner.allenintech.com
6: gitlabserver.allenintech.com
7: www.gitlabserver.allenintech.com
8: kibana.allenintech.com
9: www.kibana.allenintech.com
10: nextcloud.allenintech.com
11: www.nextcloud.allenintech.com
12: www.allenintech.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/actngop.org-0001.conf)

It contains these names: actngop.org, www.actngop.org

You requested these names for the new certificate: actngop.org, www.actngop.org,
allenintech.com, gitlabrunner.allenintech.com, www.gitlabrunner.allenintech.com,
gitlabserver.allenintech.com, www.gitlabserver.allenintech.com,
kibana.allenintech.com, www.kibana.allenintech.com, nextcloud.allenintech.com,
www.nextcloud.allenintech.com, www.allenintech.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: 
 Domain: gitlabrunner.allenintech.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for gitlabrunner.allenintech.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for gitlabrunner.allenintech.com - the domain's nameservers may be malfunctioning

  Domain: gitlabserver.allenintech.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for gitlabserver.allenintech.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for gitlabserver.allenintech.com - the domain's nameservers may be malfunctioning

  Domain: kibana.allenintech.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for kibana.allenintech.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for kibana.allenintech.com - the domain's nameservers may be malfunctioning

  Domain: nextcloud.allenintech.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for nextcloud.allenintech.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for nextcloud.allenintech.com - the domain's nameservers may be malfunctioning

  Domain: www.allenintech.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for www.allenintech.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.allenintech.com - the domain's nameservers may be malfunctioning

  Domain: www.gitlabrunner.allenintech.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for www.gitlabrunner.allenintech.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.gitlabrunner.allenintech.com - the domain's nameservers may be malfunctioning

  Domain: www.gitlabserver.allenintech.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for www.gitlabserver.allenintech.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.gitlabserver.allenintech.com - the domain's nameservers may be malfunctioning

  Domain: www.kibana.allenintech.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for www.kibana.allenintech.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.kibana.allenintech.com - the domain's nameservers may be malfunctioning

  Domain: www.nextcloud.allenintech.com
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for www.nextcloud.allenintech.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.nextcloud.allenintech.com - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://c

Yes, the previous request was to the Let's Encrypt servers which are nginx.

Did you run this latest certbot command from the same prompt you ran the prior host and curl requests I asked for?

Because this error is completely different than anything seen so far.

2 Likes

Yes I ran all the commands you asked for.

Well that makes no sense to me. The host command worked fine but now DNS lookups fail. And, they fail in a different way than your original post.

And, I am sorry but this is more involved than I wish to help with. Most of us are volunteers offering our experience and personal time for free.

I wish you good luck getting this sorted but I cannot commit the amount of time needed to assist.

2 Likes

No problem! Thanks for your effort @MikeMcQ. Have a great day!

2 Likes

Hi @Anthon
A serious problem exists here that needs to be resolved to get your cert(s).

DNS problem: SERVFAIL looking up A for gitlabrunner.allenintech.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for gitlabrunner.allenintech.com - the domain's nameservers may be malfunctioning

Is your nameserver's dns info even registered somewhere upstream from you?
What is the IP of NS1.ALLENINTECH.COM ?
It doesn't resolve to an address from where I sit.
Please advise.

2 Likes

Yes, the nameserver's infor is registered upstreamns.
ns1.allenintech.com = 99.93.25.17

Now, I realized turning on DNSSEC maybe the culprit :face_with_symbols_over_mouth:

Prior to turning on DNSSEC I had certs. When the certs expired, the auto update failed. I am assuming DNSSEC was the culprit not in and of its self but my inexperience with DNSSEC. Attempting to cert renew resulted in everything failing.

Since DNSSEC/DNS is not the forte of Letsencrypt, you may have to bail. That is not a problem, sincerely, if you must bail. I understand completely.

However, when and if I get this worked out I'll remember to post and contribute back to the community to help someone else along the way.

@Anthon

from my perspective

host -a ns1.allenintech.com
Trying "ns1.allenintech.com"
Host ns1.allenintech.com not found: 2(SERVFAIL)

And if it were visible to the world wide web, the NS port is filtered so it isn't talking to the world.

PORT    STATE    SERVICE VERSION
53/tcp  filtered domain
Additionally NS1 doesn't exist. BUT the ip is resolvable in a way.
Name:	99-93-25-17.uvs.knvltn.sbcglobal.net
Address: 99.93.25.17

Does exist.

Unless someone else here has any other input or ideas, I'm afraid you will have to contact your upstream provider to unravel this one.
Please Advise.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.