Problems with certificate renewal

vampyr · September 11, 2023, 11:03pm

It was always updated, but this time it stopped and showed such an error:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: 415.spb.ru
Type: dns
Detail: DNS problem: query timed out looking up A for 415.spb.ru; DNS problem: query timed out looking up AAAA for 415.spb.ru

there are no problems with DNS, all servers are responding, all records are present:

$ dig 415.spb.ru

; <<>> DiG 9.14.7 <<>> 415.spb.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28815
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b00770a77a3b4a4cac7d75d864ff8cf3b97a06554f9f06e8 (good)
;; QUESTION SECTION:
;415.spb.ru. IN A

;; ANSWER SECTION:
415.spb.ru. 86400 IN A 94.188.24.138

;; Query time: 0 msec
;; SERVER: 212.237.58.144#53(212.237.58.144)
;; WHEN: вт сент. 12 00:56:03 MSK 2023
;; MSG SIZE rcvd: 83

$ dig +nssearch 415.spb.ru
SOA 415.spb.ru. root.vampyr.msk.ru. 2003072349 21600 7200 3600000 86400 from server 212.237.58.144 in 0 ms.
SOA 415.spb.ru. root.vampyr.msk.ru. 2003072349 21600 7200 3600000 86400 from server 62.205.180.198 in 71 ms.
SOA 415.spb.ru. root.vampyr.msk.ru. 2003072349 21600 7200 3600000 86400 from server 94.188.24.138 in 73 ms.

there are no problems with the firewall, the connection to the address specified in the logs is present:

telnet acme-v02.api.letsencrypt.org 443

Trying 172.65.32.248...
Connected to ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Escape character is '^]'.
^]

On another server with exactly the same all daemons settings, the certificate of another domain was updated normally.

My domain is: 415.spb.ru

I ran this command: /usr/local/bin/certbot renew

It produced this output: shown up

My web server is (include version): apache24

The operating system my web server runs on is (include version): FreeBSD 12.3

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Y

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

9peppe · September 11, 2023, 11:34pm

I smell a temporary error. Wait a few hours and try again.

https://unboundtest.com/m/A/415.spb.ru/K2AKY3UN

rg305 · September 12, 2023, 1:07am

Yes, there have been similar topics here for other .ru domains.
I would advise to include at least one nameserver outside the .ru TLD.

vampyr · September 12, 2023, 12:41pm

one of the slave named servers for this domain in Italy. It doesn't help. Certificates have not been updated yet

9peppe · September 12, 2023, 1:00pm

can you try every 4-12 hours or so?

do you always get the same error?

this does not mean this:

At least one of your nameservers should be on a different domain, be it .com or anything else (can you still use .su? does it have different nameservers than .ru?)

vampyr · September 12, 2023, 2:41pm

Sorry, I misunderstood. I was thinking about something else.)) No, I only have .ru SU - it's the Soviet Union. ))) It no longer exists. All my servers are directed to users inside the ru zone network, but recent events make us think about a lot. As well as about changing the registrar.

vampyr · September 12, 2023, 2:51pm

Now:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: 415.spb.ru
Type: dns
Detail: DNS problem: looking up CAA for spb.ru: DNSSEC: Bogus

Domain: mail.415.spb.ru
Type: dns
Detail: DNS problem: query timed out looking up CAA for mail.415.spb.ru

Domain: www.415.spb.ru
Type: dns
Detail: During secondary validation: DNS problem: query timed out looking up A for www.415.spb.ru; DNS problem: query timed out looking up AAAA for www.415.spb.ru

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate 415.spb.ru with error: Some challenges have failed.

system · October 12, 2023, 2:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.