My domain is:
seimem.uniovi.es,hais2018.uniovi.es (Fix and Public IP: 156.35.23.135)
I ran this command:
./letsencrypt-auto certonly --apache --renew-by-default -d seimem.uniovi.es,hais2018.uniovi.es
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for seimem.uniovi.es
tls-sni-01 challenge for hais2018.uniovi.es
Waiting for verification…
Failed authorization procedure. hais2018.uniovi.es (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for hais2018.uniovi.es, seimem.uniovi.es (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for seimem.uniovi.es
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: hais2018.uniovi.es
Type: unknownHost
Detail: No valid IP addresses found for hais2018.uniovi.es
Domain: seimem.uniovi.es
Type: unknownHost
Detail: No valid IP addresses found for seimem.uniovi.es
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
Apache with SSL module installed
The operating system my web server runs on is (include version):
Scientific Linux 7.0
My hosting provider, if applicable, is:
Uniovi.es
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes. I’m the manager .
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
I don’t know whats the problems since we have set the crontab to renew automatically the certificate, but it didn’t correcly. So I tried to renew the certificate manually using the command:
./letsencrypt-auto certonly --apache --renew-by-default -d seimem.uniovi.es,hais2018.uniovi.es
That command states that can’t resolve the IP, but I can ping correctly both domains:
ping seimem.uniovi.es
ping hais2018.uniovi.es
I think the problem isn’t the ip but the challenge used (tls-sni-01) and a combination of old software (letsencrypt-auto).
Regarding tls-sni-01 challenge, it has been disabled a month ago due to security issues and old versions of letsencrypt-auto (now its name is certbot-auto) when using apache plugin always use tls-sni-01 challenge… from version 0.21.0 it uses http-01 challenge so:
1.- You should upgrade your letsencrypt-auto version (as I said now it is certbot-auto).
2.- The upgrade is what you should do but you can also try to use the http-01 challenge with your current version:
./letsencrypt-auto certonly -a webroot -i apache -w /path/to/webroot/ -d seimem.uniovi.es,hais2018.uniovi.es
and run the command with the new parameters:
./letsencrypt-auto certonly -a webroot -i apache -w /mnt/datos/www/html/seimem/ -d seimem.uniovi.es -w /mnt/datos/www/html/hais2018/ -d hais2018.uniovi.es
But this the new output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for seimem.uniovi.es
http-01 challenge for hais2018.uniovi.es
Using the webroot path /mnt/datos/www/html/hais2018 for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /mnt/datos/www/html/hais2018/.well-known/acme-challenge
Failed authorization procedure. hais2018.uniovi.es (http-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for hais2018.uniovi.es
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: hais2018.uniovi.es
Type: unknownHost
Detail: No valid IP addresses found for hais2018.uniovi.es
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Updated
I think the problem is with the domain hais2018.uniovi.es. I was not the administrador who created the certificate 3 months ago, but I was informed that he created the certificate for both domains: seimem.uniovi.es and hais2018.uniovi.es. Now I guess that the certificate was only created for seimem.uniovi.es . If I renew the certificate only for seimem.uniovi.es I get an sucessfully output. How can I add hais2018.uniovi.es to the current certificate? Or the problem is related with the DNS register of hais2018.uniovi.es? I've tried to renew the certificate only with hais2018.uniovi.es and the output is the same.... (No valid IP addresses found for hais2018.uniovi.es)
@delacal, I can’t see any issue with your ip, it is configured the same way for both domains… anyway, I’m seeing you already issued a new cert for hais2018 domain.
CRT ID DOMAIN (CN) VALID FROM VALID TO EXPIRES IN SANs
331328841 hais2018.uniovi.es 2018-Feb-15 08:53 UTC 2018-May-16 08:53 UTC 89 days hais2018.uniovi.es
I’ve just obtained a new certificate using this command:
./letsencrypt-auto certonly --verbose -a webroot -i apache -w /mnt/datos/www/html/hais2018/ -d hais2018.uniovi.es http://hais2018.uniovi.es/
and the output was successfully:
Writing new config /etc/letsencrypt/renewal/hais2018.uniovi.es.conf.
Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hais2018.uniovi.es/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hais2018.uniovi.es/privkey.pem
Your cert will expire on 2018-05-16. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew all of your certificates, run "letsencrypt-auto renew"
Reporting to user: If you like Certbot, please consider supporting our work by:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hais2018.uniovi.es/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hais2018.uniovi.es/privkey.pem
Your cert will expire on 2018-05-16. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew all of your
certificates, run “letsencrypt-auto renew”
If you like Certbot, please consider supporting our work by:
But previously I had run the same command without —verbose:
./letsencrypt-auto certonly -a webroot -i apache -w /mnt/datos/www/html/hais2018/ -d hais2018.uniovi.es http://hais2018.uniovi.es/
and I had gotten the Unknown IP address Error for hais2018.
I know that in 3 months I have to renew both certificates… and I don’t know how to ensure that I won’t have problems. Any idea?
There is no need to put http://hais2018.uniovi.es/ on your command, also using --verbose should have no effect on the result, just that you get more info about the process.
Maybe there was some kind of issues with your authoritative DNS servers or maybe from Let's Encrypt side but seems it was just a temporary error, I won't worry about it.