Issue with a certificate renew

Hi, I have an issue when I want to renew a certificat including 5 domains name.

My domain is: ifdigital.institutfrancais.com

I ran this command:
certbot renew --quiet --no-self-upgrade

It produced this output:

Challenge failed for domain culturegamer.fr
Challenge failed for domain futurimage.fr
Challenge failed for domain futurlivre.fr
Challenge failed for domain culturevr.fr
Attempting to renew cert (ifdigital.institutfrancais.com) from /etc/letsencrypt/renewal/ifdigital.institutfrancais.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ifdigital.institutfrancais.com/fullchain.pem (failure)

My web server is (include version):

nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Ubuntu 20.04.2 LTS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no, I have ssh access to configuration of nginx

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

So, I have a certificate called "ifdigital.institutfrancais.com" with 5 domains :
Domains: ifdigital.institutfrancais.com culturegamer.fr culturevr.fr futurimage.fr futurlivre.fr

I have a crontab with the following command :
certbot renew --quiet --no-self-upgrade

and it always fails since few weeks.

Error is

Challenge failed for domain culturegamer.fr
Challenge failed for domain futurimage.fr
Challenge failed for domain futurlivre.fr
Challenge failed for domain culturevr.fr
Attempting to renew cert (ifdigital.institutfrancais.com) from /etc/letsencrypt/renewal/ifdigital.institutfrancais.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ifdigital.institutfrancais.com/fullchain.pem (failure)

in letsencrypt.log, I have noticed that the IP address of the failed domains is not the same as my nginx server.
in the old letsencrypt logs, It wasn't like this, the five domains had the same IP.
But I don't have the control of the dns zone file.

Is it realy a problem to have different IP ? Because the dns redirection are OK ; when I'm going to culturegamer.fr, I'm redirecting to the main website ifdigital.institutfrancais.com.
I have also some nginx redirection.

I see this :
redirect.conf :

server {    
    listen 443 ssl http2;
    server_name culturevr.fr culturegamer.fr futurimage.fr futurlivre.fr;
    index index.html index.htm;
    return 301 https://ifdigital.institutfrancais.com$request_uri; 
}

main.conf

server {    
    listen 443 ssl http2;
    server_name ifdigital.institutfrancais.com;
    root /if_digital_prod/project_root/www/web;
    index index.html index.htm;
...
}

Is it a certbot issue, a dns or a nginx misconfiguration ?

Thank you for your help.

Yes, the Let's Encrypt Servers use the IP in the DNS to find your server. And, really, anyone on the public internet does the same thing so the DNS IP must be right.

It looks like all except your ifdigital use some sort of redirect service at gandi. But, this isn't working correctly. It does redirect HTTP requests but HTTPS requests fail. This may not affect your cert but it shows something is wrongly configured

curl -I https://culturegamer.fr
curl: (7) Failed to connect to culturegamer.fr port 443 after 81 ms: Connection refused

DNS lookup for culturegamer:

dig +noall +answer culturegamer.fr
culturegamer.fr.        207     IN      A       217.70.184.38
dig +noall +answer -x 217.70.184.38
38.184.70.217.in-addr.arpa. 247 IN      PTR     webredir.vip.gandi.net.

I agree you have different IP addresses. See the site below. I am guessing you should have all these IP addresses pointing to your EC2 instance like ifdigital does. But, you must have changed something so I don't quite understand what you are trying to do.

https://unboundtest.com/m/A/ifdigital.institutfrancais.com/KWC3EJWQ
Compare to:
https://unboundtest.com/m/A/culturegamer.fr/D536A5LH

How is that able to do SSL?
Where is the cert being used?

This issue is broader than just Let's Encrypt. When Let's Encrypt tries to validate the challenge, it simply acts as a regular HTTP client, just like any other browser you or I would use (minus a few minor details). So if your DNS is not up to date and is serving the incorrect IP address(es), the users of your website(s) will also have issues.

Can you show us contents of this file?

The gandi redirect service has issues like I pointed out earlier (that is, https redirects fail)

But, an HTTP Challenge still might work except you might have a problem with those redirects. They are different between your domains so we need to see your renewal conf file to see what you are trying to do.

For example, culturegamer redirects with `/fr/ after the domain name

curl -IL http://culturegamer.fr/.well-known/acme-challenge/Test123
HTTP/1.1 301 Moved Permanently
Server: nginx
Location: https://ifdigital.institutfrancais.com/fr/.well-known/acme-challenge/Test123

But, ifdigital redirects without /fr/ after the domain

curl -I http://ifdigital.institutfrancais.com/.well-known/acme-challenge/ABC123
HTTP/1.1 301 Moved Permanently
Server: nginx
Location: https://ifdigital.institutfrancais.com/.well-known/acme-challenge/ABC123

hello,
thank you very much for your answers.
The problem is solved now, the http redirection on the dns zone has been deleted and we have added an A record for each domain with the ip address of the server.

Now, the renew is working perfectly.

Few weeks ago, the dns redirection has been setup and was the source of my issue.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.