Failed renewal email received

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lawers-self-catering.co.uk

I ran this command: I did not run any command. Let's encrypt is automatically loaded by IONOS

It produced this output: Email received: Could not secure domains of Tog Porter (login admin) with Let`s Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:

The following domains have been secured without some of their Subject Alternative Names:

Could not renew Lets Encrypt certificates for Tog Porter (login admin). Please log in to Plesk and renew the certificates listed below manually. Renewal of the following Lets Encrypt certificates has failed:

** 'Lets Encrypt lawers-self-catering.co.uk' [days to expire: 24] **
[-] *.lawers-self-catering.co.uk
[-] lawers-self-catering.co.uk

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/226357848647.
Details:
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.lawers-self-catering.co.uk - check that a DNS record exists for this domain

The following Let`s Encrypt certificates have been renewed without some of their Subject Alternative Names:

Legend:
[+] This domain is secure. The domain's SSL/TLS certificate from Lets Encrypt has been issued/renewed. [-] This domain is not secure. Either the domain's SSL/TLS certificate from Lets Encrypt could not be issued/renewed or the domain name was excluded from the certificate. Renew the certificate manually or request a new one to secure this domain.

My web server is (include version): I don't know. (It is IONOS)

The operating system my web server runs on is (include version): I don't know. (It is IONOS)
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I don't know. (It is IONOS)

I have several domains and they all use let's encrypt. They are all on the same IONOS server, and this is the only one triggering renewal failed emails. It has worked well for ages, and I cannot see why it has suddenly stopped working.

I hope this can be fixed.

best wishes

Tog :slight_smile:

2

Maybe another volunteer will walk you through some steps but I think your best approach is to ask IONOS about your config. They setup the Plesk system for their service and should be able to assist.

Your existing cert is a wildcard so is using DNS Challenge of Let's Encrypt. For some reason Plesk did not setup the correct TXT record for Let's Encrypt to validate your domain.

3 Likes
3

The SPF TXT record has now been changed. How can I tell if the issue has now been fixed?

Best wishes

Tog :smiley:

4

The SPF record has nothing to do with getting a cert.

Most browsers have a way to view the cert when viewing a website. But, if you can't find out how you can use a tool like below. It says your cert expires in 21 days so it doesn't look like you made any progress. Have you talked with IONOS yet? That's a good place to start.

5 Likes
5

@MikeMcQ Thank you so much for your help and patience. Yes, I spoke to IONOS, and they said to update the SPF record because they have changed something in their system.

Although the SSL checker says there are 21 days left on the certificate, it also now says: "It's all good. We have not detected any issues."

Does that mean the problem has been fixed?

Best wishes.

Tog :smiley:

2 Likes
6

No. the SPF record has nothing to do with your cert as I already said.

Usually certs are renewed with 30 days remaining. So, saying 21 days remaining might be a clue that something is not right. Check your Plesk system to see if it can renew this cert.

6 Likes
7

Thanks Mike. I tried to re-issue the certificate on Plesk and got the following pop-up error:
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.lawers-self-catering.co.uk - check that a DNS record exists for this domain.

I called IONOS and was told not to worry, as the domain is secure and will automatically renew on 3rd June. He also checked and said the DNS record for acme is OK.

I don't feel confident, but I suppose i must just wait until 3rd June to see if it renews OK.

many thanks for your help.

Tog :smile:

2 Likes
8

I doubt a renewal on Jun3 will happen. It is bad practice to renew on the same day as expiry. Things do go wrong sometimes (outages and such) and it would give you little to no time to get your site working.

You said in your first post this has worked well for ages. But, I only see one cert in the history issued by Let's Encrypt. This is the one you are using now.

Before that you used certs by Sectigo starting in Mar 2021. That's a different system.

4 Likes
9

Supplemental information

Presently I find no DNS TXT Record for _acme-challenge.lawers-self-catering.co.uk;
I am assuming the ACME Client is a nice well behaved client and properly cleaning up after itself.
So this should not be an issue.

$ nslookup -q=txt _acme-challenge.lawers-self-catering.co.uk ns1125.ui-dns.biz.
Server:         ns1125.ui-dns.biz.
Address:        217.160.81.125#53

** server can't find _acme-challenge.lawers-self-catering.co.uk: NXDOMAIN

$ nslookup -q=soa lawers-self-catering.co.uk ns1125.ui-dns.biz.
Server:         ns1125.ui-dns.biz.
Address:        217.160.81.125#53

lawers-self-catering.co.uk
        origin = ns1125.ui-dns.biz
        mail addr = hostmaster.1und1.com
        serial = 2017060110
        refresh = 28800
        retry = 7200
        expire = 604800
        minimum = 600
2 Likes
10

Hello Mike. The site was previously with a different host (namesco) but I only took it over in March of this year, when I moved the domain to my package at IONOS. At that time I added the Let's Encrypt cert to the domain. I think it was previously with Sectigo, which was paid for.

However, I set it up on IONOS on the same server and account as about ten other domains. They have all been on Let's Encrypt for ages, some of them since 2018, and this has never happened to any other domains.

Best wishes.

Tog :slight_smile:

2 Likes
11

Hello Bruce.

Thanks for taking the time to look at this. I don't understand what _acme_challenge is. I cannot see any DNS record mentioning it on any of my domains, and I have never added one, so I assume it is something automated within the IONOS system.

Best wishes.

Tog :slight_smile:

4 Likes
12

@Togfather You might try asking on the Plesk forum for things you could try.

Adding to my post #2, Plesk should add the _acme-challenge.lawers-self-catering.co.uk record during the renew. But, the error you show in post #1 says this did not happen.

This happens when there are problems in the DNS itself (which I don't see evidence of) or just how Plesk interacts with your DNS. For example, Plesk might update the wrong DNS server zone and thus Let's Encrypt won't find the record. You could review your working systems and make sure all the settings on this new one are the same.

4 Likes
13

Thanks Mike.

I do believe the issue is now fixed. As you suggested, I compared settings with this and another domain.

I noticed that different boxes were ticked when I clicked on the re-issue certificate button.

Within the Let's Encrypt section the following boxes were ticked;.

Secure the domain name
Secure the wildcard domain.

But other domains have the following boxes ticked.
Secure the domain name
Include a "www" subdomain for the domain and each selected alias

So, I changed the ticked boxes on lawers-self-catering.co.uk to match the boxes on other domains and it worked. No pop-up error message and now the certificate is valid until August 11th.

Thank you so much for your help.

Best wishes.

Tog :smile:

2 Likes
14

It is for the DNS-01 challenge of the Challenge Types - Let's Encrypt

DNS Providers like these DNS providers who easily integrate with Let's Encrypt DNS validation and some others have APIs to allow automatic creation, editing, and removal to the DNS TXT Record(s) in question.

1 Like
15

Ah, yes, the wildcard you previously requested uses the DNS Challenge method. Although, it did work once when you got your initial cert so puzzled why it does not now.

But, without the wildcard and just the root and www name Plesk (probably) uses the HTTP Challenge. This just interacts with your web server and not a DNS TXT record. And, I agree it looks like this worked as I see your server using this new cert. Your older Sectigo certs also were just your root and www domain name (no wildcard). So, that was the added twist causing trouble.

Glad it is sorted. Cheers

4 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.