Raspberry pi renewal fails

Help
1

Hello there - a newbie here so please be gentle

Using a raspberry pi with Jessie running a simple apache wordpress site at www.shining.lighting

Initial I installed with sudo certbot --apache

all seems well, but when I run the dry run renewal process the following errors are thrown up:

~ $ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/shining.lighting.conf

Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for shining.lighting
Encountered vhost ambiguity but unable to ask for user guidance in non-interactive mode. Currently Certbot needs each vhost to be in its own conf file, and may need vhosts to be explicitly labelled with ServerName or ServerAlias directories.
Falling back to default vhost *:443ā€¦
Waiting for verificationā€¦
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/shining.lighting.conf produced an unexpected error: Failed authorization procedure. shining.lighting (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for shining.lighting. Skipping.
** DRY RUN: simulating ā€˜certbot renewā€™ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/shining.lighting/fullchain.pem (failure)
** DRY RUN: simulating ā€˜certbot renewā€™ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: shining.lighting
    Type: connection
    Detail: DNS problem: SERVFAIL looking up CAA for shining.lighting

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If youā€™re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Iā€™ve checked and as far as I can tell DNS A record is correct

Any help would be greatly appreciated

2

From a quick look you appear to have problems on your DNS - see http://dnsviz.net/d/shining.lighting/dnssec/

3

@serverco: As far as I know, ā€œINSECUREā€ isnā€™t an error with regards to DNSSEC. It just resembles the fact the DNSSEC chain isnā€™t completed fully to the end, but also signifies it isnā€™t set up in a way that it should. But itā€™s not an error (youā€™ll see ā€œERRORā€ and red stuff if that happens).

1 Like
4

Thanks - good to know. I, mistakenly, thought Letā€™s Encrypt didnā€™t like that.

5

Well, after some checking Iā€™m seeing all kinds of ā€œINSECUREā€ delegations, but those donā€™t have warnings with them :stuck_out_tongue: So in the case of shining.lightning, you might be richt :wink: Not because of the ā€œINSECUREā€ messages, but because of the warnings which normally wonā€™t come with a insecure delegation.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.