Failed auto-renewal on Unraid

#1

The auto-renew failed and I am trying to update me cert. I have installed certbot-auto. I have tried the command certbot certonly --cert-name but I received the following error:

Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.life2photography.ca
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cloud.life2photography.ca (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for cloud.life2photography.ca

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cloud.life2photography.ca
    Type: None
    Detail: DNS problem: SERVFAIL looking up A for
    cloud.life2photography.ca

Here is my Cert information:


Found the following certs:
Certificate Name: cloud.life2photography.ca
Domains: cloud.life2photography.ca
Expiry Date: 2019-02-15 19:50:24+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/cloud.life2photography.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cloud.life2photography.ca/privkey.pem

#2

You need to fix the DNS issue first.

#3

Domain: life2photography.ca

life2photography.ca nameserver = ns10.wixdns.net
life2photography.ca nameserver = ns11.wixdns.net

Name: ns10.wixdns.net
Address: 216.239.36.100

Name: ns11.wixdns.net
Address: 216.239.38.100

When those IPs respond, they return:
cloud.life2photography.ca canonical name = l2prouter.asuscomm.com

Domain: asuscomm.com
Has only one name server:

asuscomm.com nameserver = ns1.asuscomm.com

Name: ns1.asuscomm.com
Address: 103.10.4.108

[all eggs in one (IP) basket]

When everything works, DNS should return:
Name: l2prouter.asuscomm.com
Address: 198.251.61.212
Aliases: cloud.life2photography.ca

My best advice is work on improving the DNS in use or move to one that provides better DNS.
That said, you only need the cert renewal to work once within the last 30 days that it trues to renew (twice a day) to continue securely without expiration.
So from a certificate stance you should most likely have a valid cert all year long.
But your not seeing the real problem here: You may be missing connections (sporadically) throughout the entire year from clients that can’t resolve your name to an IP (they are unable to reach your site).

#4

Hi @shaade

additional: This nameserver is buggy.

There is a red “U” ( https://check-your-website.server-daten.de/?q=cloud.life2photography.ca ).

asuscomm.com U ns1.asuscomm.com

Internal checked, the TCP-connection to the nameserver crashed (have to update more error messages).

#5

Uh, what’s that? I’ve updated my tool to see more details. Now the result:

X Fatal error: Nameserver doesn’t support TCP connection: ns1.asuscomm.com: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 103.10.4.108

Your dns entries:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
cloud.life2photography.ca C l2prouter.asuscomm.com yes 1 0
A 198.251.61.212 yes
www.cloud.life2photography.ca Name Error yes 1 0

So asuscomm is relevant.

There is an U:

l2prouter.asuscomm.com 	U  ns1.asuscomm.com
	103.10.4.108	

Perhaps the nameserver accepts one connection. But the next connection (with the same source ip address) is blocked.

#6

Thank you for the heads-up. I updated my router firmware and modified some of the settings. I missed the fact that the router had its own certificate through Letsencrypt. I turned that off and the renewal on my Unraid worked.

1 Like
closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.