Lets Encrypt A/AAAA record problem

Hi,

Im back again after not getting much help before. Im having the same issue as before with re-newing the cert keeps moaning about A/AAAA Record bla bla bla and i cant seem to solve this issue, in bind i have A record point to my WANs IP address then using DNS Overides in pfSense. I am using Certbot in Ubuntu Server. Here is the information on the output. Also this is what i have in my Zones in BIND9.

jack@mail:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.violetdragonsnetwork.co.uk.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.violetdragonsnetwork.co.uk
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mail.violetdragonsnetwork.co.uk) from /etc/letsencrypt/renewal/mail.violetdragonsnetwork.co.uk.conf produced an unexpected error: Failed authorization procedure. mail.violetdragonsnetwork.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.violetdragonsnetwork.co.uk/.well-known/acme-challenge/v0Ltl4tbCQwbSeTJb57MeXa2_u4SAxGpsEkb0gNIcRI [81.150.180.216]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.violetdragonsnetwork.co.uk/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.violetdragonsnetwork.co.uk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

; db.violetdragonsnetwork.co.uk
;
;
$TTL 86400
$ORIGIN violetdragonsnetwork.co.uk. ; appended to unqualified records

violetdragonsnetwork.co.uk. 3600 SOA ns1.violetdragonsnetwork.co.uk. admin.violetdragonsnetwork.co.uk. (
2019050306 ; serial YYYYMMDDnn
1600 ; refresh ( 25 min)
750 ; retry ( 12 mins)
1296000 ; expire (15 days)
86400 ) ; minium ( 1 days)

; name servers - NS records
IN NS ns1.violetdragonsnetwork.co.uk.
IN NS ns2.violetdragonsnetwork.co.uk.

; A records for name servers
ns1 IN A 68.183
ns2 IN A 68.183

; MX record for mail server
@ IN MX 10 mail.violetdragonsnetwork.co.uk.

; A records for mail server
mail IN A 81.150.
smtp IN A 81.150.
imap IN A 81.150.

; A records for web services
www IN A 81.150.
websrv IN A 81.150
ftp IN A 81.150.

Hi @violetdragon92

if you use webroot and if that doesn't work:

  • your webroot is wrong (or / and)
  • you have additional definitions (location / proxy etc.), so your webroot doesn't work.
1 Like

Hi,

Thanks for your reply. What do you mean by webroot? do you mean the root of the folder? i am using iRedmail Mail then install Certbot for it. What do i need to do?

I did a fresh install and same problem. I give up. nothing i do solves this!

http-01 challenge for mail.violetdragonsnetwork.co.uk
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Challenge failed for domain mail.violetdragonsnetwork.co.uk
http-01 challenge for mail.violetdragonsnetwork.co.uk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.violetdragonsnetwork.co.uk
    Type: unauthorized
    Detail: Invalid response from
    http://mail.violetdragonsnetwork.co.uk/.well-known/acme-challenge/VUckal31Xw_AI8dtuXgXDvFPrEkW8TQFJoAX6xpECGY
    [81.150.180.216]: “\r\n404 Not
    Found\r\n<body bgcolor=“white”>\r\n

    404
    Not Found

    \r\n
    ”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

Does this work for you?

sudo certbot renew --nginx --dry-run

Hi,

Thanks for your reply. This is the output i am getting.

jack@mail:~$ sudo certbot renew --nginx --dry-run
[sudo] password for jack:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.violetdragonsnetwork.co.uk.conf


Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The requested nginx plugin does not appear to be installed
Attempting to renew cert (mail.violetdragonsnetwork.co.uk) from /etc/letsencrypt/renewal/mail.violetdragonsnetwork.co.uk.conf produced an unexpected error: The requested nginx plugin does not appear to be installed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.violetdragonsnetwork.co.uk/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.violetdragonsnetwork.co.uk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

Then you use a wrong software package, outdated, expired, wrong tutorial etc.

Then it's not important.

Please check the documentation.

https://certbot.eff.org/docs/using.html

Ah. Try again after:

sudo apt install python3-certbot-nginx

(Assuming you have Ubuntu 16.04 or newer)

1 Like

Hi Thanks for your reply. Sorry for such a late reply but after installing what you recommended i still have the same problem.

jack@mail:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.violetdragonsnetwork.co.uk.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.violetdragonsnetwork.co.uk
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mail.violetdragonsnetwork.co.uk) from /etc/letsencrypt/renewal/mail.violetdragonsnetwork.co.uk.conf produced an unexpected error: Failed authorization procedure. mail.violetdragonsnetwork.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.violetdragonsnetwork.co.uk/.well-known/acme-challenge/NT-xhhdZzID7mqZbrjypPnIefkmZFFKZq7juVNktU_o [81.150.]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.violetdragonsnetwork.co.uk/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.violetdragonsnetwork.co.uk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Don't forget to include --nginx:

What you just ran in your post was still using --webroot.

Thanks for your reply. I still have the same problem even with what you suggest. Here is the output.

ack@mail:~$ sudo certbot renew --nginx --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.violetdragonsnetwork.co.uk.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.violetdragonsnetwork.co.uk
Using default address 80 for authentication.
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mail.violetdragonsnetwork.co.uk) from /etc/letsencrypt/renewal/mail.violetdragonsnetwork.co.uk.conf produced an unexpected error: Failed authorization procedure. mail.violetdragonsnetwork.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.violetdragonsnetwork.co.uk/.well-known/acme-challenge/RMu1DWXPwKORbsibZhxiQJqUGFSHM8_uUKaLkUOFfJ0 [81.150.180.216]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.violetdragonsnetwork.co.uk/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.violetdragonsnetwork.co.uk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

That’s odd. I don’t understand why that wouldn’t work. This is the same server as the www.violetdragonsnetwork.co.uk website, right?

If that doesn't work, you have additional definitions, may be a proxy. Or your dns setup is wrong.

Your certificate is 181 days expired - https://check-your-website.server-daten.de/?q=mail.violetdragonsnetwork.co.uk

CN=mail.violetdragonsnetwork.co.uk
	22.11.2019
	20.02.2020
181 days expired	mail.violetdragonsnetwork.co.uk - 1 entry

Nobody knows your configuration.

No. www.violetdragonsnetwork.co.uk is on a separate Server hostname of that server is websrv and mail is mail.violetdragonsnetwork.co.uk, I have always had issues with this on this Mail Server until i reinstall everything.

Separate server hostname yes.

But on a physically different server, or no?

Because right now, both www. and mail. point to the same physical server in DNS.

Yes because i cant re-new it unless i reinstall the whole mail server. What is it you want to know?

Both domain names have the same ip address.

So the wrong server is checked.

My bad. I am using SplitDNS. BIND9 is running on DO and pointing to my WANs IP then using Host Overides in pfSense to point to each of the host. Mail and Web are on Separate VMs but on the Same VM Server.

It's your job to explain your complete configuration.

Nobody can see that. It's a waste of time if we have to collect all things you know.

I am using SplitDNS. BIND9 is running on DO and pointing to my WANs IP then using Host Overides in pfSense to point to each of the host. Mail and Web are on Separate VMs but on the Same VM Server.