Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: sebbe.eu
I ran this command: (custom script)
It produced this output:
First run:
root@sebastian-desktop:/etc/nsd# ./certrenew.pl
Creating challenge for sebbe.eu
Creating challenge for www.sebbe.eu
Creating challenge for dns1.sebbe.eu
Creating challenge for dns2.sebbe.eu
Creating challenge for printer.sebbe.eu
Creating challenge for mail.sebbe.eu
Creating challenge for smtp.sebbe.eu
Creating challenge for imap.sebbe.eu
Writing challenges to zone file
Signing DNSSEC data…
Submitting challenges for validation…
Getting validation results…
Failed authorization for “www.sebbe.eu”! at ./certrenew.pl line 156.
Second run:
root@sebastian-desktop:/etc/nsd# ./certrenew.pl
Creating challenge for sebbe.eu
Creating challenge for www.sebbe.eu
Creating challenge for dns1.sebbe.eu
Creating challenge for dns2.sebbe.eu
Creating challenge for printer.sebbe.eu
Creating challenge for mail.sebbe.eu
Creating challenge for smtp.sebbe.eu
Creating challenge for imap.sebbe.eu
Writing challenges to zone file
Signing DNSSEC data…
Submitting challenges for validation…
Getting validation results…
Failed authorization for “mail.sebbe.eu”! at ./certrenew.pl line 156.
My web server is (include version): NGINIX (not applicable since I use dns-01)
The operating system my web server runs on is (include version):
Linux sebastian-desktop 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot):
Script source:
https://pastebin.com/dTrqbeMq
zonefile (signed):
https://pastebin.com/rJ4EZxJn
zonefile (unsigned):
https://pastebin.com/Uievsynr
NOTE: The script have worked previously. Last good certificate from that script is:
https://crt.sh/?id=1488350275
First fail of above script: 2019-06-13
(Did something at letsencrypt change between 2019-05-13 to 2019-06-13 ?)
NOTE: Machine dns1.sebbe.eu and dns2.sebbe.eu is the SAME physical machine. Thus theres no zone transfers or delays involved, all DNS changes go live immidiately unless theres a cache in front of lets encrypt. (Theres a reverse NAT in front of that machine that ensures requests for 2001:470:dff1:1:10::1, 2001:470:dff1:1:10::2, 193.187.91.106 and 185.86.106.232 is routed to the very same machine)
The reason for the reverse NAT is to bypass registrar limitations that you need TWO operational nameservers with different IPs to able to set custom nameservers for the domain.