FYI: dry-run fails while normal request is honored seconds later


#1

Maybe you want to have a look why a dry run is failing and a normal request for the same domain is honored only seconds later. (time in CEST)

"http://domain.tld/.well-known/acme-challenge/SfHqoldRoAtR850KAjx1LNN3vY1qhJXo8SZVWdwFd9Q: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/wm.domain.tld/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/wm.domain.tld/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.tld
   Type:   unauthorized
   Detail: Invalid response from
   http://domain.tld/.well-known/acme-challenge/SfHqoldRoAtR850KAjx1LNN3vY1qhJXo8SZVWdwFd9Q:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
[@ ~]# certbot renew --cert-name wm.domain.tld
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/wm.domain.tld.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wm.domain.tld
http-01 challenge for domain.tld
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/wm.domain.tld/fullchain.pem
-------------------------------------------------------------------------------
Plugins selected: Authenticator webroot, Installer None

-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/wm.domain.tld/fullchain.pem (success)
-------------------------------------------------------------------------------


 1001  0910 14:14:28 certbot renew --cert-name wm.domain.tld --dry-run
 1002  0910 14:14:49 certbot renew --cert-name wm.domain.tld

#2

What’s the domain?

Can you post /var/log/letsencrypt/letsencrypt.log from both runs?

It’s unusual but not impossible for production to succeed and staging to fail, or vice versa.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.