Hi, i have a problem with a certificate to renew which was renews many times before. First of all i was just running into a timeout - then i changed the mtu of my eth0 and now i got specific errormsg.
https://crt.sh/?q=www.podor.ch
My domain is: www.podor.ch
I Use the actual docker-certbot container to run it and i have no problems with other domains.
It produced this output:
` 2020-06-15 13:23:00,766:DEBUG:certbot._internal.main:certbot version: 1.5.0
2020-06-15 13:23:00,767:DEBUG:certbot._internal.main:Arguments: [’–non-interactive’, ‘–email’, ‘domains@loremipsum.at’, ‘–agree-tos’, ‘–force-renewal’, ‘–authenticator’, ‘webroot’, ‘–webroot-path’, ‘/var/certbot-acme-challenge/’, ‘–cert-name’, ‘podoroils.com’, ‘–domain’, ‘podoroils.com’, ‘–domain’, ‘www.podoroils.com’, ‘–domain’, ‘shop.podoroils.com’, ‘–domain’, ‘podorhuile.fr’, ‘–domain’, ‘www.podorhuile.fr’, ‘–domain’, ‘podor.co.uk’, ‘–domain’, ‘www.podor.co.uk’, ‘–domain’, ‘shop.podor.co.uk’, ‘–domain’, ‘podor.com.au’, ‘–domain’, ‘www.podor.com.au’, ‘–domain’, ‘podor.de’, ‘–domain’, ‘www.podor.de’, ‘–domain’, ‘shop.podoroele.de’, ‘–domain’, ‘shop.podor.at’, ‘–domain’, ‘shop.podor.hu’, ‘–domain’, ‘podor.ch’, ‘–domain’, ‘www.podor.ch’, ‘–domain’, ‘shop.podor.ch’, ‘–domain’, ‘podor.ru’, ‘–domain’, ‘www.podor.ru’, ‘–domain’, ‘podor.lu’, ‘–domain’, ‘www.podor.lu’, ‘–domain’, ‘podor.se’, ‘–domain’, ‘www.podor.se’, ‘–domain’, ‘podor.jp’, ‘–domain’, ‘www.podor.jp’, ‘–domain’, ‘podor.es’, ‘–domain’, ‘www.podor.es’, ‘–domain’, ‘podor.pl’, ‘–domain’, ‘www.podor.pl’, ‘–domain’, ‘podor.nl’, ‘–domain’, ‘www.podor.nl’, ‘–domain’, ‘podor.sk’, ‘–domain’, ‘www.podor.sk’, ‘–domain’, ‘podor.dk’, ‘–domain’, ‘www.podor.dk’, ‘–domain’, ‘podor.tw’, ‘–domain’, ‘www.podor.tw’, ‘–domain’, ‘podoroele.de’, ‘–domain’, ‘www.podoroele.de’, ‘–domain’, ‘podor.at’, ‘–domain’, ‘www.podor.at’, ‘–domain’, ‘podor.hu’, ‘–domain’, ‘www.podor.hu’, ‘–domain’, ‘de.podor.ch’, ‘–domain’, ‘dev.podor.hu’, ‘–domain’, ‘dev.podor.ch’, ‘–domain’, ‘dev.podor.co.uk’, ‘–domain’, ‘dev.podoroils.com’, ‘–domain’, ‘de.shop.podor.ch’, ‘–domain’, ‘shop.podor.com.au’, ‘–domain’, ‘dev.podor.com.au’, ‘–domain’, ‘podorhuile.fr’, ‘–domain’, ‘www.podorhuile.fr’, ‘–domain’, ‘shop.podorhuile.fr’, ‘–domain’, ‘podorhuile.be’, ‘–domain’, ‘www.podorhuile.be’, ‘–domain’, ‘shop.podorhuile.be’, ‘–domain’, ‘www.de.podor.ch’, ‘–domain’, ‘shop.podor.pl’, ‘–domain’, ‘shop.podor.nl’, ‘–domain’, ‘shop.podor.tw’, ‘–domain’, ‘podor-oil.com’, ‘–domain’, ‘www.podor-oil.com’, ‘–domain’, ‘shop.podor-oil.com’, ‘–domain’, ‘podorme.com’, ‘–domain’, ‘www.podorme.com’, ‘–domain’, ‘shop.podorme.com’, ‘–domain’, ‘ar.podorme.com’, ‘–domain’, ‘ar.shop.podorme.com’, ‘–domain’, ‘store.podor.hu’, ‘–domain’, ‘localonlinepartner.at’, ‘–domain’, ‘www.localonlinepartner.at’, ‘–domain’, ‘localonlinepartner.de’, ‘–domain’, ‘www.localonlinepartner.de’, ‘–domain’, ‘localonlinepartner.ch’, ‘–domain’, ‘www.localonlinepartner.ch’, ‘–domain’, ‘localonlinepartner.com’, ‘–domain’, ‘www.localonlinepartner.com’, ‘–domain’, ‘new.podor.sk’, ‘–domain’, ‘new.podor.jp’]
2020-06-15 13:23:00,767:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-06-15 13:23:00,925:DEBUG:certbot._internal.log:Root logging level set at 20
2020-06-15 13:23:00,926:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-06-15 13:23:00,928:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2020-06-15 13:23:00,941:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
.
.
.
2020-06-15 13:23:31,146:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/finalize/478444/3778870753 HTTP/1.1” 403 None
2020-06-15 13:23:31,148:DEBUG:acme.client:Received response:
HTTP 403
Server: nginx
Date: Mon, 15 Jun 2020 13:23:31 GMT
Content-Type: application/problem+json
Transfer-Encoding: chunked
Connection: keep-alive
Boulder-Requester: 478444
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0101cWMUnuN5U4wbRcpSbnlPHsC_gk-IZVgdmVImzOwqaHU
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: Rechecking CAA for \"dev.podor.ch\" and 7 more identifiers failed. Refer to sub-problems for more information",
"status": 403,
"subproblems": [
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for dev.podor.ch: DNS problem: SERVFAIL looking up CAA for dev.podor.ch - the domain's nameservers may be malfunctioning",
"status": 403,
"identifier": {
"type": "dns",
"value": "dev.podor.ch"
}
},
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for shop.podor.ch: DNS problem: SERVFAIL looking up CAA for shop.podor.ch - the domain's nameservers may be malfunctioning",
"status": 403,
"identifier": {
"type": "dns",
"value": "shop.podor.ch"
}
},
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for podoroele.de: DNS problem: SERVFAIL looking up CAA for podoroele.de - the domain's nameservers may be malfunctioning",
"status": 403,
"identifier": {
"type": "dns",
"value": "podoroele.de"
}
},
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for new.podor.jp: DNS problem: SERVFAIL looking up CAA for podor.jp - the domain's nameservers may be malfunctioning",
"status": 403,
"identifier": {
"type": "dns",
"value": "new.podor.jp"
}
},
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for shop.podor.pl: DNS problem: SERVFAIL looking up CAA for podor.pl - the domain's nameservers may be malfunctioning",
"status": 403,
"identifier": {
"type": "dns",
"value": "shop.podor.pl"
}
},
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for shop.podoroele.de: DNS problem: SERVFAIL looking up CAA for podoroele.de - the domain's nameservers may be malfunctioning",
"status": 403,
"identifier": {
"type": "dns",
"value": "shop.podoroele.de"
}
},
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for www.podor.se: DNS problem: SERVFAIL looking up CAA for podor.se - the domain's nameservers may be malfunctioning",
"status": 403,
"identifier": {
"type": "dns",
"value": "www.podor.se"
}
},
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for www.podor.nl: DNS problem: SERVFAIL looking up CAA for podor.nl - the domain's nameservers may be malfunctioning",
"status": 403,
"identifier": {
"type": "dns",
"value": "www.podor.nl"
}
}
]
}
2020-06-15 13:23:31,149:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 11, in <module>
load_entry_point('certbot', 'console_scripts', 'certbot')()
File "/opt/certbot/src/certbot/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1347, in main
return config.func(config, plugins)
File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1233, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/opt/certbot/src/certbot/certbot/_internal/renewal.py", line 306, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 359, in obtain_certificate
cert, chain = self.obtain_certificate_from_csr(csr, orderr)
File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 291, in obtain_certificate_from_csr
orderr = self.acme.finalize_order(orderr, deadline)
File "/opt/certbot/src/acme/acme/client.py", line 901, in finalize_order
return self.client.finalize_order(orderr, deadline)
File "/opt/certbot/src/acme/acme/client.py", line 749, in finalize_order
self._post(orderr.body.finalize, wrapped_csr)
File "/opt/certbot/src/acme/acme/client.py", line 96, in _post
return self.net.post(*args, **kwargs)
File "/opt/certbot/src/acme/acme/client.py", line 1177, in post
return self._post_once(*args, **kwargs)
File "/opt/certbot/src/acme/acme/client.py", line 1190, in _post_once
response = self._check_response(response, content_type=content_type)
File "/opt/certbot/src/acme/acme/client.py", line 1048, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:caa :: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for "dev.podor.ch" and 7 more identifiers failed. Refer to sub-problems for more information
2020-06-15 13:23:31,157:ERROR:certbot._internal.log:An unexpected error occurred:
2020-06-15 13:23:31,157:ERROR:certbot._internal.log:Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for "dev.podor.ch" and 7 more identifiers failed. Refer to sub-problems for more information`
It says the CAA check failed because of wrong response - but my provider told me that there is no wrong anwser on their side.
Does anyone know what i can do now, cause it worked already for many times and since this renew period it is failing
@edit:
just tested the feedback from letsdebug.net - it always tells me that there is no error…