Internal Error with Letsencrypt via nginx-proxy-manager

Help
1

Hi there, so nothing has changed [as far as anything i did] and I noticed my SSL Certs all expired but never renewed. After trying to do manually, this is the error I get, no matter what domain/entry.

HTTP 200
Server: nginx
Date: Sun, 03 Nov 2024 20:22:08 GMT
Content-Type: application/json
Content-Length: 786
Connection: keep-alive
Boulder-Requester: 2036510017
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: guak6r7L6KnnFLNCU8nw4OyVCUz-VDPRvE0Bs-3RCNK_c2sWBoA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "heimdall.sithlord.duckdns.org"
  },
  "status": "invalid",
  "expires": "2024-11-10T20:21:45Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/425167175817/Ui1AfA",
      "status": "invalid",
"validated": "2024-11-03T20:21:45Z",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: SERVFAIL looking up A for heimdall.sithlord.duckdns.org - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for heimdall.sithlord.duckdns.org - the domain's nameservers may be malfunctioning",
        "status": 400
      },
      "token": "wxTogruGpUeuIO_ghPVQfuZq66Oy-axZW63edgiLV4E"
    }
  ]
}
2024-11-03 20:22:08,242:DEBUG:acme.client:Storing nonce: guak6r7L6KnnFLNCU8nw4OyVCUz-VDPRvE0Bs-3RCNK_c2sWBoA
2024-11-03 20:22:08,242:INFO:certbot._internal.auth_handler:Challenge failed for domain heimdall.sithlord.duckdns.org
2024-11-03 20:22:08,243:INFO:certbot._internal.auth_handler:http-01 challenge for heimdall.sithlord.duckdns.org
2024-11-03 20:22:08,243:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: heimdall.sithlord.duckdns.org
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for heimdall.sithlord.duckdns.org - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for heimdall.sithlord.duckdns.org - the domain's nameservers may be malfunctioning
int: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2024-11-03 20:22:08,245:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-11-03 20:22:08,245:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-11-03 20:22:08,245:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-11-03 20:22:08,245:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/wxTogruGpUeuIO_ghPVQfuZq66Oy-axZW63edgiLV4E
2024-11-03 20:22:08,246:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2024-11-03 20:22:08,246:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
ys.exit(main())
             ^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1600, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
certbot.errors.AuthorizationError: Some challenges have failed.
2024-11-03 20:22:08,251:ERROR:certbot._internal.log:Some challenges have failed.
2

We have been seeing duckdns problems fairly often here in recent weeks.

And, at least right now I can see duckdns failing using other testing tools. You may just need to keep trying and hope you get through. Although Let's Encrypt will temporarily block you for more than 5 failures per hour so be careful.

https://dnsviz.net/d/heimdall.sithlord.duckdns.org/dnssec/

3 Likes
3

Hi @xXDasGoGXx, and welcome to the LE community forum :slight_smile:

I'm having trouble reaching their authoritative DNS nameservers:

duckdns.org     nameserver = ns1.duckdns.org
duckdns.org     nameserver = ns2.duckdns.org
duckdns.org     nameserver = ns3.duckdns.org
duckdns.org     nameserver = ns4.duckdns.org
duckdns.org     nameserver = ns5.duckdns.org
duckdns.org     nameserver = ns6.duckdns.org
duckdns.org     nameserver = ns7.duckdns.org
duckdns.org     nameserver = ns8.duckdns.org
duckdns.org     nameserver = ns9.duckdns.org
3 Likes
4

Interesting. Several weeks seems a bit obnoxious, a prelude to them going down for good? I will do as you say and wait a while, see how it goes. thank you.

Would there be alternatives to duckdns? I mean, I do own my own domains and static ips, I just wanted to utilize a more "private" access.

5

Hello and thank you

I am also trying to think of anything that could have changed on my end. I did notice on my nginx that my 15-20 "entries" also expired end of September, and since then they have never renewed. Ugh

1 Like
6

It is definitely a DuckDNS issue, as I just created entries using my actual domain and works fine.

1 Like
7

I have no idea. It is possible their outages are only occasional or affecting certain regions or customers. I only note we have been seeing DNS query problems for duckdns more often lately. Perhaps they have a lot of happy customers. I would have no way of knowing.

2 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.