Not Able to renew the certificate

Help
1

My domain is: sph1.hims.ayusmart.com;sph2.hims.ayusmart.com;stph.hims.ayusmart.com

I ran this command: certbot renew

It produced this output:
[root@hims ~]# /opt/lampp/lampp stopapache
XAMPP: Stopping Apache...ok.
[root@hims ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/sph1.hims.ayusmart.com.conf

Certificate not yet due for renewal

Processing /etc/letsencrypt/renewal/sph2.hims.ayusmart.com.conf

Renewing an existing certificate for sph2.hims.ayusmart.com

Processing /etc/letsencrypt/renewal/stph.hims.ayusmart.com.conf

Failed to renew certificate stph.hims.ayusmart.com with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f12ca73f460>: Failed to establish a new connection: [Errno -2] Name or service not known'))

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/sph1.hims.ayusmart.com/fullchain.pem expires on 2024-02-02 (skipped)
The following renewals succeeded:
/etc/letsencrypt/live/sph2.hims.ayusmart.com/fullchain.pem (success)

The following renewals failed:
/etc/letsencrypt/live/stph.hims.ayusmart.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): XAMPP

The operating system my web server runs on is (include version):
[root@hims ~]# /opt/lampp/lampp version
Version: XAMPP for Linux 7.2.34-0

My hosting provider, if applicable, is: None. Bare metal installation

I can login to a root shell on my machine (yes or no, or I don't know): Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): [root@hims ~]# certbot --version
certbot 2.7.4

2

Welcome @avinashh

You have several odd things happening. One is that each time you renew each of those 3 names you get 2 certs for each. You should only be getting one. We'll come back to this later.

The above error about "Name or service not known" is a problem with your local DNS resolver.

Another odd thing is your 3rd example above for sph2 subdomain says it renewed successfully. But, if your DNS resolver was broken it should not renew either. And, yet another odd thing is the sph2 subdomain was renewed (twice) several days ago so should not need renewing again. We will come back to these later too.

So, let us start with the "Errno -2" issue as that is preventing renewal of a cert that expires in 9 days.

Does that problem repeat when using this command?

certbot renew --dry-run --cert-name stph.hims.ayusmart.com
3 Likes
3

From the looks of that it seems like you are using certbot in --standalone mode.
Which implies HTTP-01 authentication.
HTTP authentication requires HTTP access to validate the ACME challenge request.
But the three names don't use the same IP:

Name:    stph.hims.ayusmart.com
Address: 49.204.92.146

Name:    sph1.hims.ayusmart.com
Address: 49.204.92.146

Name:    sph2.hims.ayusmart.com
Address: 106.51.86.194

What is the IP of the server you are running this command on?:

3 Likes
4

here is the network diagram

SPH_Firewall.drawio
SPH_Firewall.drawio841×481 9.1 KB

root@hims ~]# certbot renew --dry-run --cert-name stph.hims.ayusmart.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/stph.hims.ayusmart.com.conf

Simulating renewal of an existing certificate for stph.hims.ayusmart.com

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/stph.hims.ayusmart.com/fullchain.pem (success)

You have mail in /var/spool/mail/root
[root@hims ~]# certbot renew --cert-name stph.hims.ayusmart.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/stph.hims.ayusmart.com.conf

Failed to renew certificate stph.hims.ayusmart.com with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f9f21c1b0a0>: Failed to establish a new connection: [Errno -2] Name or service not known'))

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/stph.hims.ayusmart.com/fullchain.pem (failure)

1 Like
5

That's unusual to have --dry-run succeed but production fail for that reason.

What do these show?

curl -I https://acme-staging-v02.api.letsencrypt.org/directory
curl -I https://acme-v02.api.letsencrypt.org/directory
3 Likes
6

What shows?:
cat /etc/hosts
cat /etc/resolv.conf

3 Likes
7 
[hims@hims ~]$ curl -I https://acme-staging-v02.api.letsencrypt.org/directory
curl: (6) Could not resolve host: acme-staging-v02.api.letsencrypt.org; Unknown error
[hims@hims ~]$ curl -I https://acme-v02.api.letsencrypt.org/directory
curl: (6) Could not resolve host: acme-v02.api.letsencrypt.org; Unknown error

[hims@hims ~]$ cat /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

[hims@hims ~]$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 125.22.47.125
nameserver 4.2.2.2
nameserver 172.21.0.1
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 172.21.0.2
8

What shows?:

dig acme-v02.api.letsencrypt.org 125.22.47.125
dig acme-v02.api.letsencrypt.org 4.2.2.2
dig acme-v02.api.letsencrypt.org 172.21.0.1
dig acme-v02.api.letsencrypt.org 172.21.0.2
2 Likes
9 
[hims@hims ~]$ dig acme-v02.api.letsencrypt.org 125.22.47.125

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7 <<>> acme-v02.api.letsencrypt.org 1                          25.22.47.125
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42678
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org.  IN      A

;; Query time: 5588 msec
;; SERVER: 172.21.0.1#53(172.21.0.1)
;; WHEN: Sat Nov 11 11:46:00 IST 2023
;; MSG SIZE  rcvd: 57

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21251
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;125.22.47.125.                 IN      A

;; Query time: 4591 msec
;; SERVER: 172.21.0.1#53(172.21.0.1)
;; WHEN: Sat Nov 11 11:46:13 IST 2023
;; MSG SIZE  rcvd: 42

[hims@hims ~]$ dig acme-v02.api.letsencrypt.org 4.2.2.2

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7 <<>> acme-v02.api.letsencrypt.org 4.2.2.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55129
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org.  IN      A

;; Query time: 4528 msec
;; SERVER: 172.21.0.1#53(172.21.0.1)
;; WHEN: Sat Nov 11 11:46:36 IST 2023
;; MSG SIZE  rcvd: 57

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54449
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;4.2.2.2.                       IN      A

;; Query time: 4595 msec
;; SERVER: 172.21.0.1#53(172.21.0.1)
;; WHEN: Sat Nov 11 11:46:50 IST 2023
;; MSG SIZE  rcvd: 36

[hims@hims ~]$ dig acme-v02.api.letsencrypt.org 172.21.0.1

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7 <<>> acme-v02.api.letsencrypt.org 172.21.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10650
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org.  IN      A

;; ANSWER SECTION:
acme-v02.api.letsencrypt.org. 4756 IN   CNAME   prod.api.letsencrypt.org.
prod.api.letsencrypt.org. 158   IN      CNAME   ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com. 188 IN A 172.65.32.248

;; Query time: 41 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sat Nov 11 11:46:52 IST 2023
;; MSG SIZE  rcvd: 155

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26677
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;172.21.0.1.                    IN      A

;; AUTHORITY SECTION:
.                       2099    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023111100 1800 900 604800 86400

;; Query time: 105 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sat Nov 11 11:46:53 IST 2023
;; MSG SIZE  rcvd: 114

[hims@hims ~]$ dig acme-v02.api.letsencrypt.org 172.21.0.2

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7 <<>> acme-v02.api.letsencrypt.org 172.21.0.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52898
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org.  IN      A

;; Query time: 5053 msec
;; SERVER: 172.21.0.1#53(172.21.0.1)
;; WHEN: Sat Nov 11 11:47:11 IST 2023
;; MSG SIZE  rcvd: 57

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59327
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;172.21.0.2.                    IN      A

;; AUTHORITY SECTION:
.                       2153    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023111100 1800 900 604800 86400

;; Query time: 188 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sat Nov 11 11:47:20 IST 2023
;; MSG SIZE  rcvd: 114

our firewall is managed by a 3rd party, and if there is some rules to be added there, we can get it done please let us know.

10

It seems like most of the DNS servers fail [or are being blocked by the firewall].
I would test other public DNS systems and change the list to only show those DNS servers that work.
Like: IP 172.21.0.1

3 Likes
11

We tried one more time today able to renew certificate for [stph.hims.ayusmart.com]
Thanks a lot for support.

1 Like
12

as 4.2.2.2 is public resolve from level3 and from my side it resolves currectly, there would be a transparent dns catcher on firewall

3 Likes