Problems renewing my certificate

My domain is:
seimem.uniovi.es,hais2018.uniovi.es (Fix and Public IP: 156.35.23.135)

I ran this command:
./letsencrypt-auto certonly --apache --renew-by-default -d seimem.uniovi.es,hais2018.uniovi.es

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for seimem.uniovi.es
tls-sni-01 challenge for hais2018.uniovi.es
Waiting for verification…
Failed authorization procedure. hais2018.uniovi.es (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for hais2018.uniovi.es, seimem.uniovi.es (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for seimem.uniovi.es

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: hais2018.uniovi.es
    Type: unknownHost
    Detail: No valid IP addresses found for hais2018.uniovi.es

    Domain: seimem.uniovi.es
    Type: unknownHost
    Detail: No valid IP addresses found for seimem.uniovi.es

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

Here you can find the detaild output: PasteBin

My web server is (include version):
Apache with SSL module installed

The operating system my web server runs on is (include version):
Scientific Linux 7.0

My hosting provider, if applicable, is:
Uniovi.es

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes. I’m the manager .

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I don’t know whats the problems since we have set the crontab to renew automatically the certificate, but it didn’t correcly. So I tried to renew the certificate manually using the command:
./letsencrypt-auto certonly --apache --renew-by-default -d seimem.uniovi.es,hais2018.uniovi.es

That command states that can’t resolve the IP, but I can ping correctly both domains:
ping seimem.uniovi.es
ping hais2018.uniovi.es

Thank very much in advance.

Hola @delacal,

I think the problem isn’t the ip but the challenge used (tls-sni-01) and a combination of old software (letsencrypt-auto).

Regarding tls-sni-01 challenge, it has been disabled a month ago due to security issues and old versions of letsencrypt-auto (now its name is certbot-auto) when using apache plugin always use tls-sni-01 challenge… from version 0.21.0 it uses http-01 challenge so:

1.- You should upgrade your letsencrypt-auto version (as I said now it is certbot-auto).

2.- The upgrade is what you should do but you can also try to use the http-01 challenge with your current version:

./letsencrypt-auto certonly -a webroot -i apache -w /path/to/webroot/ -d seimem.uniovi.es,hais2018.uniovi.es

if your domains are using different webroots

./letsencrypt-auto certonly -a webroot -i apache -w /path/to/seimen-webroot/ -d seimem.uniovi.es -w /path/to/hais2018-webroot/ -d hais2018.uniovi.es

Note: I’ve removed parameter --renew-by-default you should not use it.

Un saludo,
sahsanu

1 Like

Thank you for you quick answer.

I’ve followed the two steps:

  1. Update certbot
  2. and run the command with the new parameters:
    ./letsencrypt-auto certonly -a webroot -i apache -w /mnt/datos/www/html/seimem/ -d seimem.uniovi.es -w /mnt/datos/www/html/hais2018/ -d hais2018.uniovi.es

But this the new output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for seimem.uniovi.es
http-01 challenge for hais2018.uniovi.es
Using the webroot path /mnt/datos/www/html/hais2018 for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /mnt/datos/www/html/hais2018/.well-known/acme-challenge
Failed authorization procedure. hais2018.uniovi.es (http-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for hais2018.uniovi.es

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: hais2018.uniovi.es
    Type: unknownHost
    Detail: No valid IP addresses found for hais2018.uniovi.es

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

Updated

I think the problem is with the domain hais2018.uniovi.es. I was not the administrador who created the certificate 3 months ago, but I was informed that he created the certificate for both domains: seimem.uniovi.es and hais2018.uniovi.es. Now I guess that the certificate was only created for seimem.uniovi.es . If I renew the certificate only for seimem.uniovi.es I get an sucessfully output. How can I add hais2018.uniovi.es to the current certificate? Or the problem is related with the DNS register of hais2018.uniovi.es? I’ve tried to renew the certificate only with hais2018.uniovi.es and the output is the same… (No valid IP addresses found for hais2018.uniovi.es)

@delacal, I can’t see any issue with your ip, it is configured the same way for both domains… anyway, I’m seeing you already issued a new cert for hais2018 domain.

CRT ID     DOMAIN (CN)         VALID FROM             VALID TO               EXPIRES IN  SANs
331328841  hais2018.uniovi.es  2018-Feb-15 08:53 UTC  2018-May-16 08:53 UTC  89 days     hais2018.uniovi.es

Hello.

I’ve just obtained a new certificate using this command:
./letsencrypt-auto certonly --verbose -a webroot -i apache -w /mnt/datos/www/html/hais2018/ -d hais2018.uniovi.es http://hais2018.uniovi.es/
and the output was successfully:

Writing new config /etc/letsencrypt/renewal/hais2018.uniovi.es.conf.
Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hais2018.uniovi.es/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hais2018.uniovi.es/privkey.pem
Your cert will expire on 2018-05-16. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew all of your certificates, run "letsencrypt-auto renew"
Reporting to user: If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/hais2018.uniovi.es/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/hais2018.uniovi.es/privkey.pem
    Your cert will expire on 2018-05-16. To obtain a new or tweaked
    version of this certificate in the future, simply run
    letsencrypt-auto again. To non-interactively renew all of your
    certificates, run “letsencrypt-auto renew”
  • If you like Certbot, please consider supporting our work by:

But previously I had run the same command without —verbose:
./letsencrypt-auto certonly -a webroot -i apache -w /mnt/datos/www/html/hais2018/ -d hais2018.uniovi.es http://hais2018.uniovi.es/

and I had gotten the Unknown IP address Error for hais2018.

I know that in 3 months I have to renew both certificates… and I don’t know how to ensure that I won’t have problems. Any idea?

Regards.

Enrique.

There is no need to put http://hais2018.uniovi.es/ on your command, also using --verbose should have no effect on the result, just that you get more info about the process.

Maybe there was some kind of issues with your authoritative DNS servers or maybe from Let’s Encrypt side but seems it was just a temporary error, I won’t worry about it.

sahsanu https://community.letsencrypt.org/u/sahsanu Community leader
February 15
delacal:
./letsencrypt-auto certonly --verbose -a webroot -i apache -w /mnt/datos/www/html/hais2018/ -d hais2018.uniovi.es http://hais2018.uniovi.es/ http://hais2018.uniovi.es/
There is no need to put http://hais2018.uniovi.es/ on your command, also using --verbose should have no effect on the result, just that you get more info about the process.

I so sorry, It was only a typing mistake. The right command I typed was:

./letsencrypt-auto certonly --verbose -a webroot -i apache -w /mnt/datos/www/html/hais2018/ -d hais2018.uniovi.es

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.