Renew fails no valid ip address

gmgj · October 17, 2019, 3:07pm

My stack shows as lamp, but, it is really lemp.

Domain name based hosting, > 500 domains per 1 ip

The automated plain vanilla certbot renew procedure throws the error you will see after the —

If I can no longer change the ip address, what should I do?
Delete the certificate?
Report the certificate, to who?

certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.drgregrileyblog.com
Type: None
Detail: No valid IP addresses found for www.drgregrileyblog.com

Domain: drgregrileyblog.com
Type: None
Detail: No valid IP addresses found for drgregrileyblog.com
2019-10-17 09:07:12,938:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.drgregrileyblog.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for www.drgregrileyblog.com, drgregrileyblog.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for drgregrileyblog.com

2019-10-17 09:07:12,938:DEBUG:certbot.error_handler:Calling registered functions
2019-10-17 09:07:12,938:INFO:certbot.auth_handler:Cleaning up challenges
2019-10-17 09:07:12,938:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/5RVMPc2GGHHMqyvMz4rGYOQdwrhK4vk-yottwVAjJws
2019-10-17 09:07:12,939:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/tvAPismr0AHzUilyvNH4e_LKkizRTybAAS5M6YqPDcA
2019-10-17 09:07:12,939:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2019-10-17 09:07:12,939:WARNING:certbot.renewal:Attempting to renew cert (drgregrileyblog.com) from /etc/letsencrypt/renewal/drgregrileyblog.com.conf produced an unexpected error: Failed authorization procedure. www.drgregrileyblog.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for www.drgregrileyblog.com, drgregrileyblog.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for drgregrileyblog.com. Skipping.
2019-10-17 09:07:12,966:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 452, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1193, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 310, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.drgregrileyblog.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for www.drgregrileyblog.com, drgregrileyblog.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for drgregrileyblog.com

bershanskiy · October 17, 2019, 3:16pm

The problem is exactly what it is stated. The IP address for www.drgregrileyblog.com and drgregrileyblog.com is not found. I just checked with this.

There are two possible reasons:

You did not assign an IP with your registrar that you bought your domain from (may be, GoDaddy.com).
You recently (in the last 24 hours) assigned an IP with your registrar, but this information did not propagate to other domain name resolvers yet.

If you provide more information, I might be able to help.

bershanskiy · October 17, 2019, 3:22pm

FYI:

$ nslookup drgregrileyblog.com ns55.domaincontrol.com
Server:		ns55.domaincontrol.com
Address:	2603:5:21b2::1c#53

*** Can't find drgregrileyblog.com: No answer

$ nslookup drgregrileyblog.com 
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
*** Can't find drgregrileyblog.com: No answer

gmgj · October 17, 2019, 4:39pm

Thanks for the reply. In this case, we are going to revoke the cert.

bershanskiy · October 17, 2019, 4:41pm

In this case, we are going to revoke the cert.

Nowhere in the reply have I suggested revoking a certificate. You do NOT need to revoke certificates unless you suspect someone gained control of your private key or issued that certificate without authorization.

gmgj · October 17, 2019, 5:07pm

I understand, I have run into this before. But first, I use named based virtual hosting, 1 ip, >500 urls pointing same ip. think of this as a type of subscription service. Sites are added and deleted when people join when they leave.

The terms of service also say, if you no longer control the ip address, you should revoke the certificate. I wish I could search in my posts for the response that said and pointed out that in order to comply with the terms of service, I needed to revoke them.

If I don’t revoke (or delete) a certificate, that I no longer control the ip address for, it will try and renew

Does that make sense? Do admins have the capability to search with a persons posts?

mnordhoff · October 17, 2019, 5:26pm

If you just delete it, Certbot will also stop trying to renew it. You don't technically have to revoke it first.

But you're correct that the Subscriber Agreement requires that you revoke the certificate if you no longer control the domain. It's in sections 3.2 and 3.7 (and possibly others).

Morally, I'm not sure that what is potentially a temporary DNS misconfiguration qualifies, but from a rules perspective, I do not represent Let's Encrypt and decline to comment.

For what it's worth, Certbot has a command line option to disable automatic renewal, --no-autorenew. (This obviously isn't usually much help without a time machine.) But you can manually edit the renewal configuration file and set "autorenew = False".

bershanskiy · October 17, 2019, 5:51pm

Oh, I see, so you are no longer authorized to host that domain. Because of the title of the post, I thought you wanted to renew the cert for that domain, not remove it from the list for renewal.

@mnordhoff gives good advice: remove the certificate from renewal list first, and deal with revocation separately.

Also, thank you for being a responsible person and revoking the certificate for domains you are no longer authorized to service.

system · November 16, 2019, 5:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.