I cant renew one of my 3 domains, on same host

My (faulty?) domain is: ebnh.fr.eu.org

I ran this command: certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ebnh.fr.eu.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Simulating renewal of an existing certificate for ebnh.fr.eu.org and www.ebnh.fr.eu.org
Performing the following challenges:
http-01 challenge for ebnh.fr.eu.org
http-01 challenge for www.ebnh.fr.eu.org
Cleaning up challenges
Failed to renew certificate ebnh.fr.eu.org with error: Problem binding to port 80: Could not bind to IPv4 or IPv6.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/huc.fr.eu.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: rcctl stop nginx
Output from pre-hook command rcctl:
nginx(ok)

Simulating renewal of an existing certificate for huc.fr.eu.org and 3 more domains
Performing the following challenges:
http-01 challenge for doc.huc.fr.eu.org
http-01 challenge for huc.fr.eu.org
http-01 challenge for jw.huc.fr.eu.org
http-01 challenge for www.huc.fr.eu.org
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/huc.fr.eu.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/stephane-huc.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Pre-hook command already run, skipping: rcctl stop nginx
Simulating renewal of an existing certificate for stephane-huc.net and 2 more domains
Performing the following challenges:
http-01 challenge for ns1.stephane-huc.net
http-01 challenge for stephane-huc.net
http-01 challenge for www.stephane-huc.net
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/stephane-huc.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following simulated renewals succeeded:
  /etc/letsencrypt/live/huc.fr.eu.org/fullchain.pem (success)
  /etc/letsencrypt/live/stephane-huc.net/fullchain.pem (success)

The following simulated renewals failed:
  /etc/letsencrypt/live/ebnh.fr.eu.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: rcctl start nginx
Output from post-hook command rcctl:
nginx(ok)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): OpenBSD 6.9

My hosting provider, if applicable, is: @home

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): none

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.13.0


Hi, normaly, for my 3 domains (stephane-huc.net, huc.fr.eu.org and ebnh.fr.eu.org) on my host, I renew the certs by the command:
/usr/local/bin/certbot renew --pre-hook "rcctl stop nginx" --post-hook "rcctl start nginx"

All my domains have a webservice functionnal, configured exactly by the same method, and reply on ports 80, 443 too.

But, for the domain ebnh.fr.eu.org, certbot cant connect on, and refuse to renew certs.

Any idea? or, suggestion?

1 Like

I would guess that these certificates have the pre- and post- hook configured:

  • /etc/letsencrypt/renewal/huc.fr.eu.org.conf
  • /etc/letsencrypt/renewal/stephane-huc.net.conf

but this one doesn't:

  • /etc/letsencrypt/renewal/ebnh.fr.eu.org.conf

If you open up those files and compare them, you will probably observe that difference.

If you need to stop and start nginx for every certificate on your server for all of your certificates, consider putting executable scripts to stop and start nginx in /etc/letsencrypt/renewal-hooks/pre/ and /etc/letsencrypt/renewal-hooks/post/ respectively.

You could alternatively modify that one renewal .conf file to include the same hooks as the other two.

2 Likes

OK.

For the domain ebnh, the config is:

# renew_before_expiry = 30 days
version = 1.5.0
archive_dir = /etc/letsencrypt/archive/ebnh.fr.eu.org
cert = /etc/letsencrypt/live/ebnh.fr.eu.org/cert.pem
privkey = /etc/letsencrypt/live/ebnh.fr.eu.org/privkey.pem
chain = /etc/letsencrypt/live/ebnh.fr.eu.org/chain.pem
fullchain = /etc/letsencrypt/live/ebnh.fr.eu.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = ***
rsa_key_size = 4096
must_staple = True
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

For the other two, the config is:

# renew_before_expiry = 30 days
version = 1.13.0
archive_dir = /etc/letsencrypt/archive/huc.fr.eu.org
cert = /etc/letsencrypt/live/huc.fr.eu.org/cert.pem
privkey = /etc/letsencrypt/live/huc.fr.eu.org/privkey.pem
chain = /etc/letsencrypt/live/huc.fr.eu.org/chain.pem
fullchain = /etc/letsencrypt/live/huc.fr.eu.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = ***
rsa_key_size = 4096
must_staple = True
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
pre_hook = rcctl stop nginx
post_hook = rcctl start nginx

(egual for stephane-huc.net.conf)

I dont know why they are different version!?


Now, after add the definition pre_hook, and post_hook on config for ebnh, it fails with those errors:

Waiting for verification...
Challenge failed for domain www.ebnh.fr.eu.org
http-01 challenge for www.ebnh.fr.eu.org
Cleaning up challenges
Failed to renew certificate ebnh.fr.eu.org with error: Some challenges have failed.
1 Like

The most likely reason is that you forgot to include those hook parameters when initially creating that one certificate.

Edit: sorry, I misread. The version being different is not a big deal.

What's the full output?

2 Likes
# certbot renew --dry-run                            
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ebnh.fr.eu.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: rcctl stop nginx
Output from pre-hook command rcctl:
nginx(ok)

Simulating renewal of an existing certificate for ebnh.fr.eu.org and www.ebnh.fr.eu.org
Performing the following challenges:
http-01 challenge for ebnh.fr.eu.org
http-01 challenge for www.ebnh.fr.eu.org
Waiting for verification...
Challenge failed for domain www.ebnh.fr.eu.org
http-01 challenge for www.ebnh.fr.eu.org
Cleaning up challenges
Failed to renew certificate ebnh.fr.eu.org with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/huc.fr.eu.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Pre-hook command already run, skipping: rcctl stop nginx
Simulating renewal of an existing certificate for huc.fr.eu.org and 3 more domains
Performing the following challenges:
http-01 challenge for doc.huc.fr.eu.org
http-01 challenge for huc.fr.eu.org
http-01 challenge for jw.huc.fr.eu.org
http-01 challenge for www.huc.fr.eu.org
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/huc.fr.eu.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/stephane-huc.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Pre-hook command already run, skipping: rcctl stop nginx
Simulating renewal of an existing certificate for stephane-huc.net and 2 more domains
Performing the following challenges:
http-01 challenge for stephane-huc.net
http-01 challenge for www.stephane-huc.net
http-01 challenge for ns1.stephane-huc.net
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/stephane-huc.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following simulated renewals succeeded:
  /etc/letsencrypt/live/huc.fr.eu.org/fullchain.pem (success)
  /etc/letsencrypt/live/stephane-huc.net/fullchain.pem (success)

The following simulated renewals failed:
  /etc/letsencrypt/live/ebnh.fr.eu.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: rcctl start nginx
Output from post-hook command rcctl:
nginx(ok)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.ebnh.fr.eu.org
   Type:   dns
   Detail: DNS problem: SERVFAIL looking up CAA for www.ebnh.fr.eu.org
   - the domain's nameservers may be malfunctioning

(excuse-me)


For the 3 domains, on the dns config (nsd), I wrote the same records:

@    IN CAA 0 iodef "mailto:red+caa@stephane-huc.net"
@    IN CAA 0 issue "letsencrypt.org"
@    IN CAA 0 issuewild "letsencrypt.org"
1 Like

OK.

I think we have fixed the Certbot part of the problem now.

Now you need to deal with this DNS error.

I believe the problem is, you have set up these nameservers for your domain:

EBNH.FR.EU.ORG.         172800  IN      NS      NS1.STEPHANE-HUC.NET.
EBNH.FR.EU.ORG.         172800  IN      NS      NS5.HE.NET.
EBNH.FR.EU.ORG.         172800  IN      NS      NS4.HE.NET.
EBNH.FR.EU.ORG.         172800  IN      NS      NS2.HE.NET.
EBNH.FR.EU.ORG.         172800  IN      NS      NS3.HE.NET.

NS1.STEPHANE-HUC.NET works okay, but the others do not.

The HE.NET nameservers all refuse to answer queries for your domain name (ebnh.fr.eu.org). This suggests that you have not set up a DNS zone on HE.NET for your domain.

So, either you need to fix the problem with HE.NET, or remove the HE.NET nameservers from your domain's nameserver registration.

2 Likes

But, normally, since few days, all HE definitions are deleted, and the DNS records are:

# cat /etc/ns/ebnh.fr.eu.org         
$TTL 1H
$ORIGIN ebnh.fr.eu.org.
@   IN  SOA ebnh.fr.eu.org. red\+dns.huc.fr.eu.org. (
    2021070501 ;
    3H ; refresh
    1H ; retry
    2W ; expire
    1H ; negative
)
                    
@   IN NS   ns1.stephane-huc.net.
@   IN NS   puck.nether.net.
(…)
1 Like

Where did you delete them from?

In addition to deleting them from the zone on your authoritative nameserver, they need to be removed from the FR.EU.ORG nameservers:

$ dig +noall +authority @ns1.eu.org ebnh.fr.eu.org ns
EBNH.FR.EU.ORG.         172800  IN      NS      NS2.HE.NET.
EBNH.FR.EU.ORG.         172800  IN      NS      NS4.HE.NET.
EBNH.FR.EU.ORG.         172800  IN      NS      NS3.HE.NET.
EBNH.FR.EU.ORG.         172800  IN      NS      NS1.STEPHANE-HUC.NET.
EBNH.FR.EU.ORG.         172800  IN      NS      NS5.HE.NET.
2 Likes

On my DNS Config!

Yesss! And, I can't connect anymore; the nic.eu.org service answers error 500, when I attempt to login!

Thanks.

2 Likes

I see.

Nonetheless, you won't be able to get a certificate from Let's Encrypt until you make this change on nic.eu.org.

Sorry!

Maybe you can temporarily create a duplicate of your zone on HE.NET as well, as a workaround.

1 Like

Ah, I was able to connect and change the DNS!
(I will wait during the DNS replication, and try after… and hope that's run correctly) :stuck_out_tongue:

@_az: really, thanks.

2 Likes

Done! :smiley:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ebnh.fr.eu.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: rcctl stop nginx
Output from pre-hook command rcctl:
nginx(ok)

Renewing an existing certificate for ebnh.fr.eu.org and www.ebnh.fr.eu.org
Performing the following challenges:
http-01 challenge for ebnh.fr.eu.org
http-01 challenge for www.ebnh.fr.eu.org
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/ebnh.fr.eu.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/huc.fr.eu.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/stephane-huc.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/huc.fr.eu.org/fullchain.pem expires on 2021-09-29 (skipped)
  /etc/letsencrypt/live/stephane-huc.net/fullchain.pem expires on 2021-09-29 (skipped)
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/ebnh.fr.eu.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: rcctl start nginx
Output from post-hook command rcctl:
nginx(ok)
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.