Raspberry pi renewal fails

Hello there - a newbie here so please be gentle

Using a raspberry pi with Jessie running a simple apache wordpress site at www.shining.lighting

Initial I installed with sudo certbot --apache

all seems well, but when I run the dry run renewal process the following errors are thrown up:

~ $ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/shining.lighting.conf

Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for shining.lighting
Encountered vhost ambiguity but unable to ask for user guidance in non-interactive mode. Currently Certbot needs each vhost to be in its own conf file, and may need vhosts to be explicitly labelled with ServerName or ServerAlias directories.
Falling back to default vhost *:443…
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/shining.lighting.conf produced an unexpected error: Failed authorization procedure. shining.lighting (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for shining.lighting. Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/shining.lighting/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)


  • The following errors were reported by the server:

    Domain: shining.lighting
    Type: connection
    Detail: DNS problem: SERVFAIL looking up CAA for shining.lighting

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I’ve checked and as far as I can tell DNS A record is correct

Any help would be greatly appreciated

From a quick look you appear to have problems on your DNS - see http://dnsviz.net/d/shining.lighting/dnssec/

@serverco: As far as I know, “INSECURE” isn’t an error with regards to DNSSEC. It just resembles the fact the DNSSEC chain isn’t completed fully to the end, but also signifies it isn’t set up in a way that it should. But it’s not an error (you’ll see “ERROR” and red stuff if that happens).

1 Like

Thanks - good to know. I, mistakenly, thought Let’s Encrypt didn’t like that.

Well, after some checking I’m seeing all kinds of “INSECURE” delegations, but those don’t have warnings with them :stuck_out_tongue: So in the case of shining.lightning, you might be richt :wink: Not because of the “INSECURE” messages, but because of the warnings which normally won’t come with a insecure delegation.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.