Centos 7 + Apache

When I manual renew the certificate via "/bin/certbot renew" it reports failed.

Would you help me find where is it wrong?

Thanks in advance.

[az***nn212 bin]$ sudo certbot renew
[sudo] password for **min:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/****er.com.cn.conf

OCSP check failed for /etc/letsencrypt/archive//****er.com.cn/cert1.pem (are we offline?)
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for /****er.com.cn
Waiting for verification...
Challenge failed for domain /****er.com.cn
http-01 challenge for /****er.com.cn
Cleaning up challenges
Attempting to renew cert (/****er.com.cn) from /etc/letsencrypt/renewal//****er.com.cn.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live//****er.com.cn/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live//****er.com.cn/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: /****er.com.cn
  Type: unauthorized
  Detail: Invalid response from
  http:///****er.com.cn/.well-known/acme-challenge/dGMsGs2ljXaz8kZxB5JS_c4kJl_3iCRYurPXCaiLU_Y
  [39.**.***174]: "\n\n403
  Forbidden\n\n

  Forbidden

  \n<p"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

Hi @KingChen,

I don't believe anyone here will be able to help you without knowing your real domain name, in order to do our own tests.

Two sites that were built by community members here that might help you diagnose certain kinds of problems on your own are

hi Schoen

The domain is persona.servier.com.cn

Thanks. Right now, your server's DNS name is CNAMEd to personapp.chinanorth2.cloudapp.chinacloudapi.cn—is that the same server where you're running this Certbot command? Is it possible that this is a shared server which is different from the one where you're running Certbot?

ns1+ns2.windowsazure.cn are unresponsive:

    QUESTIONS:
        persona.servier.com.cn, type = AAAA, class = IN
    ANSWERS:
    ->  persona.servier.com.cn
        canonical name = personapp.chinanorth2.cloudapp.chinacloudapi.cn
        ttl = 600 (10 mins)
    AUTHORITY RECORDS:
    ->  chinanorth2.cloudapp.chinacloudapi.cn
        ttl = 60 (1 min)
        primary name server = ns1.windowsazure.cn
        responsible mail addr = ns2.windowsazure.cn

nslookup persona.servier.com.cn ns1.windowsazure.cn
Server:  UnKnown
Address:  42.159.0.94
*** UnKnown can't find persona.servier.com.cn: No response from server

nslookup persona.servier.com.cn ns2.windowsazure.cn
Server:  UnKnown
Address:  42.159.129.94
*** UnKnown can't find persona.servier.com.cn: No response from server

Oddly enough, the shorter path shows some different name servers:

nslookup -q=ns chinacloudapi.cn
chinacloudapi.cn        nameserver = ns1-201.azure-dns-3.cn
chinacloudapi.cn        nameserver = ns2-201.azure-dns-3.cn
chinacloudapi.cn        nameserver = ns3-201.azure-dns-3.cn
chinacloudapi.cn        nameserver = ns4-201.azure-dns-3.cn

nslookup -q=ns chinanorth2.cloudapp.chinacloudapi.cn
chinanorth2.cloudapp.chinacloudapi.cn   nameserver = ns1-02.azure-dns.cn
chinanorth2.cloudapp.chinacloudapi.cn   nameserver = ns2-02.azure-dns.cn
chinanorth2.cloudapp.chinacloudapi.cn   nameserver = ns3-02.azure-dns.cn
chinanorth2.cloudapp.chinacloudapi.cn   nameserver = ns4-02.azure-dns.cn

Lo and behold:
When querying those servers, your name (CNAME) does resolve:

nslookup personapp.chinanorth2.cloudapp.chinacloudapi.cn ns1-201.azure-dns-3.cn
Server:  UnKnown
Address:  40.73.192.201
Name:    personapp.chinanorth2.cloudapp.chinacloudapi.cn
Served by:
- ns1-02.azure-dns.cn chinanorth2.cloudapp.chinacloudapi.cn
- ns2-02.azure-dns.cn chinanorth2.cloudapp.chinacloudapi.cn
- ns3-02.azure-dns.cn chinanorth2.cloudapp.chinacloudapi.cn
- ns4-02.azure-dns.cn chinanorth2.cloudapp.chinacloudapi.cn

nslookup personapp.chinanorth2.cloudapp.chinacloudapi.cn ns1-02.azure-dns.cn
Server:  UnKnown
Address:  40.73.192.2
Name:    personapp.chinanorth2.cloudapp.chinacloudapi.cn
Address:  139.217.112.174

The CNAME is persona.servier.com.cn, and the server alais name is personapp.chinanorth2.cloudapp.chinacloudapi.cn.
The first time I create certificate is only for CNAME.

How to deal with the problem? For now I can access the URL.

The rest of the world can't reach the nameservers that resolve that CNAME.
So they can't access the URL.

Bring this to the attention of whomever handles the DNS for your CNAME.

The IP of the name has to be found via authoritative servers ONLY.
LE will follow that authoritative chain until it does.
Unfortunately, that chain breaks at: ns1.windowsazure.cn ns2.windowsazure.cn
See: https://letsdebug.net/persona.servier.com.cn/366867
Also: https://ednscomp.isc.org/ednscomp/444de3beec

@rg305, I agree that the nameservers are sometimes giving problems, and that that could interfere with issuance of @KingChen's certificate—but I don't think that's the problem that he encountered here, because the error from Let's Encrypt would be different in that case. (When I re-ran the Let's Debug test, it was very slow, but it eventually succeeded.)

@KingChen, could you please clarify whether 139.217.112.174 is your own server, that you are the administrator of?

The server IP is 139.217.112.174, I am the administrotor of the server.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.