Renew certificate failed on Debian

buddicom · May 19, 2022, 7:25pm

Hi, on debian 11 with Bind9 9.16 with DNSSEC and certbot 1.12, renew cerificate failed

I ran this command:
certbot certonly --force-renew --dry-run --domain "flaman-h7a.fr" --domain "*.flaman-h7a.fr" --csr /etc/letsencrypt/live-ecdsa/wildcard.flaman-h7a.fr/csr-p384.pem --manual

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Performing the following challenges:
dns-01 challenge for flaman-h7a.fr
http-01 challenge for flaman-h7a.fr

Please deploy a DNS TXT record under the name
_acme-challenge.flaman-h7a.fr with the following value:

sf30tEAKo3pwDtqgWmKeSiECdhhRLFgIKF0R6HSFWgU

Before continuing, verify the record is deployed.

Press Enter to Continue

Create a file containing just this data:

MJgX-ocJMXGW2At_l2hh6ue4RdHw8jX3CEFvBgQ-IrI.92gCFMxEbYFkpRt9UXD5W5f7VzouDuSN7o6eV7MZP2U

And make it available on your web server at this URL:

http://flaman-h7a.fr/.well-known/acme-challenge/MJgX-ocJMXGW2At_l2hh6ue4RdHw8jX3CEFvBgQ-IrI

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)

Press Enter to Continue
Waiting for verification...
Challenge failed for domain flaman-h7a.fr
Challenge failed for domain flaman-h7a.fr
http-01 challenge for flaman-h7a.fr
dns-01 challenge for flaman-h7a.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: flaman-h7a.fr
Type: dns
Detail: DNS problem: SERVFAIL looking up A for flaman-h7a.fr - the
domain's nameservers may be malfunctioning; DNS problem: SERVFAIL
looking up AAAA for flaman-h7a.fr - the domain's nameservers may be
malfunctioning

Domain: flaman-h7a.fr
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for
_acme-challenge.flaman-h7a.fr - the domain's nameservers may be
malfunctioning

The DNS TXT propagation is good and the http challenge also.

My web server is (include version):
traefik/nginx

This error is reproduced without DNSSEC also

Thanks for your help.

Regards

MikeMcQ · May 19, 2022, 7:45pm

Does that error repeat? Because using unboundtest I consistently get good results for both the A and TXT records. unboundtest uses a similar method to Let's Encrypt servers to lookup DNS records.

https://unboundtest.com/m/TXT/_acme-challenge.flaman-h7a.fr/NUWN5V7K

And, note that --force-renew does not fix problems. And, if often leads to problems with Rate Limits so you should avoid using it.

rg305 · May 19, 2022, 7:51pm

Try removing any unnecessary TXT records first:

_acme-challenge.flaman-h7a.fr text = "127.0.0.1"
_acme-challenge.flaman-h7a.fr text = "my-first-dns-dynamic-update"
_acme-challenge.flaman-h7a.fr text = "vf0a78xQxs8P5PcFJebSi8C7T8K-9DUgAaSgWOJexbM"

rg305 · May 19, 2022, 8:00pm

There is also a troubling issue with one of the authoritative nameservers:

flaman-h7a.fr   nameserver = nssec.online.net
flaman-h7a.fr   nameserver = ns.flaman-h7a.fr

nssec.online.net seems to be offline.
OR rather is fails to respond as expected to any request for your domain:

dig NS flaman-h7a.fr @nssec.online.net

; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> NS flaman-h7a.fr @nssec.online.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53910
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;flaman-h7a.fr.                 IN      NS

;; Query time: 108 msec
;; SERVER: 62.210.16.8#53(62.210.16.8)
;; WHEN: Thu May 19 19:59:49 UTC 2022
;; MSG SIZE  rcvd: 42

buddicom · May 19, 2022, 8:06pm

Hi,

With using --server https://acme-v02.api.letsencrypt.org/directory, it's work! By using two challenges.

Its' strange...because all day long it is impossible to make the renewal work properly.

Thanks for your help.

Regards

Nicolas

rg305 · May 19, 2022, 8:10pm

I'm glad to hear that...
But it sounds like pure luck or chance.

Osiris · May 19, 2022, 8:11pm

Two things:

Please don't use --force-renewal to renew a certificate which is already due for renewal. This option does not magically make Let's Encrypt skip any failed validation. Otherwise it would be a GRAVE defect in the whole web PKI. A valid validation is required, no matter how much "--force-renewal` options you're using.

Secondly, why are you using the --csr option? This is really a very handicapped option. I also see you're messing with the directories in /etc/letsencrypt/ which is another thing I don´t recommend. Maybe Certbot is not the ideal ACME client for you if you're buypassing most features of it?

MikeMcQ · May 19, 2022, 8:17pm

I agree with rg305, setting --server would not change anything. That --server value is the default already. From the docs:

--server SERVER   ACME Directory Resource URI.
  (default: https://acme-v02.api.letsencrypt.org/directory)

buddicom · May 19, 2022, 8:19pm

Ok, I understand.

WIth this command, at this our, it's work now, after a afternoon of failures.
certbot certonly --dry-run --domain "flaman-h7a.fr" --domain "*.flaman-h7a.fr" --dns-rfc2136 --dns-rfc2136-credentials /etc/bind/.rfc-2136.ini --dns-rfc2136-propagation-seconds 30 --renew-by-default --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Simulating a certificate request for flaman-h7a.fr and *.flaman-h7a.fr
Performing the following challenges:
dns-01 challenge for flaman-h7a.fr
dns-01 challenge for flaman-h7a.fr
Waiting 30 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

The dry run was successful.

Osiris · May 19, 2022, 8:24pm

Please don't use this option. It's a synonym of --force-renewal. It's also not necessary to include for testing purposes when using --dry-run. --dry-run will always issue a certificate from the staging (for testing purposes, nothing more) server, regardless of the current certificate is still valid and/or not due for renewal.

Besides that your command looks way better than your previous one Don't forget to add a --deploy-hook to reload any service using the certificate, as you're using certbot without an installer plugin.

buddicom · May 19, 2022, 8:25pm

Ok, I'm really struggling tonight.

Osiris · May 19, 2022, 8:27pm

You can find out what all options mean by running certbot --help all.

But besides the --renew-by-default it looks good

rg305 · May 19, 2022, 8:43pm

This may be the reason it fails most of the time:

rg305:

There is also a troubling issue with one of the authoritative nameservers:
flaman-h7a.fr   nameserver = nssec.online.net
flaman-h7a.fr   nameserver = ns.flaman-h7a.fr
nssec.online.net seems to be offline .
OR rather is fails to respond as expected to any request for your domain:

system · June 18, 2022, 8:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot renew error on Debian9 Help	4	523	December 7, 2021
Cant renew certificate - DNS Check issue Help	8	636	December 16, 2020
Certbot renew error please help Help	2	637	June 12, 2022
Certbot renew failing to renew my certificates - SERVFAIL looking up A for my site Help	47	2476	November 1, 2020
Certbot Renewal Error Help	4	452	January 6, 2023

Renew certificate failed on Debian

Related topics