Renewal failed for a personal self-hosted web server (but it used to work)

Hi,

I know this is a common question, but I have looked at previous answers and they do not seem to help me.

I have a renewal failure in a small (raspberry-pi, with Raspbian), personal web server (Apache 2.4.10). I have been using and renewing Let’s Encrypt certificates flawlessly for that server for a year and a half now.

Certbot version: 0.10.2

The command (run via ssh in that server):
$ sudo certbot renew

The output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/rbejar.cps.unizar.es.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for rbejar.cps.unizar.es
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/rbejar.cps.unizar.es.conf produced an unexpected error: Failed authorization procedure. rbejar.cps.unizar.es (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: CAA record for rbejar.cps.unizar.es prevents issuance. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rbejar.cps.unizar.es/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: rbejar.cps.unizar.es
   Type:   connection
   Detail: CAA record for rbejar.cps.unizar.es prevents issuance

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

The server is behind a router. The port 443 is open in the router (the server is working right, I can connect with https from my web browser). There is not any other firewall (software or hardware).

I have tried also with the webroot and standalone plugins (opening the port 80, stopping the web server for the latter) but I receive similar answers.

The domain server rbejar.cps.unizar.es (the certificate is issued to that name) is a CNAME entry in the DNS, but AFAIK it has been so for all the time I have been using Let’s Encrypt.

These are the contents of /var/log/letsencrypt/letsencrypt.log (the addressResolved in there is right, that is the IP):

2017-07-11 14:41:49,578:DEBUG:certbot.main:Root logging level set at 20
2017-07-11 14:41:49,584:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-07-11 14:41:49,590:DEBUG:certbot.main:certbot version: 0.10.2
2017-07-11 14:41:49,590:DEBUG:certbot.main:Arguments: []
2017-07-11 14:41:49,595:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginE
ntryPoint#manual,PluginEntryPoint#standalone)
2017-07-11 14:41:49,654:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2017-07-11 14:41:49,711:DEBUG:parsedatetime:CRE_UNITS matched
2017-07-11 14:41:49,715:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2017-07-11 14:41:49,715:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2017-07-11 14:41:49,716:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2017-07-11 14:41:49,716:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2017, tm_mon=7, tm_mday=11, tm_hour=14, tm_min=41, tm_sec=49, tm_wd
ay=1, tm_yday=192, tm_isdst=0))
2017-07-11 14:41:49,717:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2017-07-11 14:41:49,718:DEBUG:parsedatetime:units days --> realunit days
2017-07-11 14:41:49,718:DEBUG:parsedatetime:return
2017-07-11 14:41:49,719:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-07-31 09:10:00 UTC.
2017-07-11 14:41:49,719:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2017-07-11 14:41:49,851:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2017-07-11 14:41:53,353:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x73b3ebb0>
Prep: True
2017-07-11 14:41:53,369:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x73b3ebb0>
Prep: True
2017-07-11 14:41:53,371:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.configurator.ApacheConfigurator object at 0x73b3ebb0> and inst
aller <certbot_apache.configurator.ApacheConfigurator object at 0x73b3ebb0>
2017-07-11 14:41:53,564:DEBUG:certbot.main:Picked account: <Account(64cdccec186078534c46e504b1b6c8f2)>
2017-07-11 14:41:53,577:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-07-11 14:41:53,597:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-07-11 14:41:54,167:DEBUG:urllib3.connectionpool:"GET /directory HTTP/1.1" 200 352
2017-07-11 14:41:54,171:DEBUG:acme.client:Received response:
HTTP 200
content-length: 352
strict-transport-security: max-age=604800
boulder-request-id: u8e1OvW98k_64InXmdpt-EoHGFtXQJnAKOWN2VYarjA
expires: Tue, 11 Jul 2017 14:41:54 GMT
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 11 Jul 2017 14:41:54 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: Aic7jsZaaGuZ7Jw_nhbvd13Z1m7sEi6YuxsnVnW11lU

{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-07-11 14:41:54,173:INFO:certbot.main:Renewing an existing certificate
2017-07-11 14:41:54,176:DEBUG:root:Requesting fresh nonce
2017-07-11 14:41:54,177:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-07-11 14:41:54,376:DEBUG:urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2017-07-11 14:41:54,380:DEBUG:acme.client:Received response:
HTTP 405
content-length: 91
allow: POST
boulder-request-id: KZqgrvmaEnSBw1kSvZYdkW8HUERRrdh7MdNNv-Q5H5s
expires: Tue, 11 Jul 2017 14:41:54 GMT
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 11 Jul 2017 14:41:54 GMT
content-type: application/problem+json
replay-nonce: OboEjWzXnJFwZ7SF1y9tUWMRCkdkr0yq4Rq0-UbRfoY


2017-07-11 14:41:54,381:DEBUG:acme.client:Storing nonce: OboEjWzXnJFwZ7SF1y9tUWMRCkdkr0yq4Rq0-UbRfoY
2017-07-11 14:41:54,387:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "rbejar.cps.unizar.es"
  }, 
  "resource": "new-authz"
}
2017-07-11 14:41:54,453:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "2tPXHiobTy5FGOMxld_IU9buMSbqrDtTro7oDfW5Gd_x_ov3IJWixAv9LLGMNykqvn64ExDVcdLVDry_1fTIR1GxJjkEC5lwrUcsMoIJg5rCu5HBY0Xj8GfhzO0o3s7t_94U6W6bE8-c_33Yl
G1D7OltVOTaHN57uEqygEETpT0jT03joM5X3ffEOmWMw9QDtAJ96awra67t3OiYJ80vcDk-Y5QHBYOHBIgsmnDVptqxLoKmP2jNbh3WyHf_10Q_PgXNC7kLJ62T7n-E9FuVyYHQ--_vGqLiyvXWtN77Aftoh3
FTjStEhWRIi--aWCz5E5Zs4FzCshnNGUYYqF-8Fw"
    }
  }, 
  "protected": "eyJub25jZSI6ICJPYm9Fald6WG5KRndaN1NGMXk5dFVXTVJDa2RrcjB5cTRScTAtVWJSZm9ZIn0", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAicmJlamFyLmNwcy51bml6YXIuZXMiCiAgfSwgCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiI
KfQ", 
  "signature": "MdsiUqS_6lklBw-snbR7I5Kkl9E3GFwXIvbWvrs1ybwZzNH2jrxmdYX_5Y3WScgkdmsjpHz9gu7xe-tVCWm-G3X330WklC37QKhnm1Fw_lguzUQFNqTOVt2NrDFLu_xA5v91HspKRh2gb
L6yrgpIrp_tIs5tzBgPwZN7qTTjrom6_SO4R5GXWsl-SidZ0o7NBBYq6vXVqPoC17oQO3cjfHGoFbh-1dugjzGlJ4G1YgdSdEzuprX3nn2YxVBv4zmvXk6gnllOWn0FCqO11Uin1aRqHasfDDl61jCToLRKar
YZ8FEzbVgGDCVHofR0utdtrO4MONxh1eoPxkUQhqJ2Pg"
}
2017-07-11 14:41:55,108:DEBUG:urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1008
2017-07-11 14:41:55,121:DEBUG:acme.client:Received response:
HTTP 201
content-length: 1008
strict-transport-security: max-age=604800
boulder-request-id: e1ektYPMjIsQoh8w7-Ny--FUYizmiv7oRVnQpF4R-_E
boulder-requester: 913211
expires: Tue, 11 Jul 2017 14:41:55 GMT
server: nginx
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
location: https://acme-v01.api.letsencrypt.org/acme/authz/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 11 Jul 2017 14:41:55 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 6kw2HCKHdXAQpl6pqGXCreKsgMJRZtEzlEG-aT1kym0

{
  "identifier": {
    "type": "dns",
    "value": "rbejar.cps.unizar.es"
  },
  "status": "pending",
  "expires": "2017-07-18T14:41:54.686028251Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053575",
      "token": "veA6RVMaQ914xSBC_k9jS__jvR-ZIz42vK-IzbFemaI"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053576",
      "token": "XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053580",
      "token": "bQd8YxAyXjkjN1WmFmX4Du1QL9MLIr4XwIY5asZB59A"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      0
    ],
    [
      1
    ]
  ]
}
2017-07-11 14:41:55,122:DEBUG:acme.client:Storing nonce: 6kw2HCKHdXAQpl6pqGXCreKsgMJRZtEzlEG-aT1kym0
2017-07-11 14:41:55,127:INFO:certbot.auth_handler:Performing the following challenges:
2017-07-11 14:41:55,128:INFO:certbot.auth_handler:tls-sni-01 challenge for rbejar.cps.unizar.es
2017-07-11 14:41:57,727:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2017-07-11 14:41:57,735:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:
 <IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName cd35c4763f4853a5bace23c9f7311f08.5b56386d401b0df25aef5f6f14435f61.acme.invalid
    UseCanonicalName on
    SSLStrictSNIVHostCheck on

    LimitRequestBody 1048576

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /var/lib/letsencrypt/XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI.crt
    SSLCertificateKeyFile /var/lib/letsencrypt/XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI.pem

    DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/
</VirtualHost>

</IfModule>

2017-07-11 14:41:57,871:DEBUG:certbot.reverter:Creating backup of /etc/apache2/apache2.conf
2017-07-11 14:42:01,788:INFO:certbot.auth_handler:Waiting for verification...
2017-07-11 14:42:01,791:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI.cqubD6uj_uI9JTFDJQHZfXoARM3jVB-w1G40F0-Vlew", 
  "type": "tls-sni-01", 
  "resource": "challenge"
}
2017-07-11 14:42:01,856:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/15
24053576:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "2tPXHiobTy5FGOMxld_IU9buMSbqrDtTro7oDfW5Gd_x_ov3IJWixAv9LLGMNykqvn64ExDVcdLVDry_1fTIR1GxJjkEC5lwrUcsMoIJg5rCu5HBY0Xj8GfhzO0o3s7t_94U6W6bE8-c_33Yl
G1D7OltVOTaHN57uEqygEETpT0jT03joM5X3ffEOmWMw9QDtAJ96awra67t3OiYJ80vcDk-Y5QHBYOHBIgsmnDVptqxLoKmP2jNbh3WyHf_10Q_PgXNC7kLJ62T7n-E9FuVyYHQ--_vGqLiyvXWtN77Aftoh3
FTjStEhWRIi--aWCz5E5Zs4FzCshnNGUYYqF-8Fw"
    }
  }, 
  "protected": "eyJub25jZSI6ICI2a3cySENLSGRYQVFwbDZwcUdYQ3JlS3NnTUpSWnRFemxFRy1hVDFreW0wIn0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIlhBaU95RTJvU21yU1AtS2pvZlN6MXRjY3piajZFS21tdDBTRjhMQmw1ZUkuY3F1YkQ2dWpfdUk5SlRGREpRSFpmWG9BUk0zalZCLXcxRzQwRjA
tVmxldyIsIAogICJ0eXBlIjogInRscy1zbmktMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "rMzAKSc5uxKg2c6dFFdtn92RYltBWSrqS0A_qDsL432QNl6-kkKXvEbTPBfYZASCG4YRxCHOVLlSCXjrMAfRzgevR1563XF9zIU5bd8SCELEPfQZ7E8e-HNp19G-0MjHaWbHMx7ucLiMW
DO9G7BYkEghlikcVhT8XWQDSZTL9V-0R3g9RvM0PTAqJVAnr2p5Zl75V-LSEeEAaZ7dhJm1VcG_FoZDQR1ZkNeNYqBiLugovg6qrIV8XjJ5tSes40y7yvVn8ynhAmAQuIxFUTr2UjdYV43qXh5eVSVnZ4lJ7j
KkT8R8-crS5m_zuWPncMRntVK1TMnEDq0yjNItVOe4Vw"
}
2017-07-11 14:42:04,899:DEBUG:urllib3.connectionpool:"POST /acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053576 HTTP/1.1" 202 339
2017-07-11 14:42:04,903:DEBUG:acme.client:Received response:
HTTP 202
content-length: 339
boulder-request-id: VYJULOMZWq5mjz3bABFtLsyKOHbMSStrzsbn3kgB76M
boulder-requester: 913211
expires: Tue, 11 Jul 2017 14:42:04 GMT
server: nginx
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/authz/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw>;rel="up"
location: https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053576
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 11 Jul 2017 14:42:04 GMT
content-type: application/json
replay-nonce: 0DhFUhpQQJg4_6YlT-PsprdpeiG3WcoAUBkpmnxYecc

{
  "type": "tls-sni-01",
  "status": "pending",
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053576",
  "token": "XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI",
  "keyAuthorization": "XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI.cqubD6uj_uI9JTFDJQHZfXoARM3jVB-w1G40F0-Vlew"
}
2017-07-11 14:42:04,904:DEBUG:acme.client:Storing nonce: 0DhFUhpQQJg4_6YlT-PsprdpeiG3WcoAUBkpmnxYecc
2017-07-11 14:42:07,910:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw.
2017-07-11 14:42:08,293:DEBUG:urllib3.connectionpool:"GET /acme/authz/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw HTTP/1.1" 200 1560
2017-07-11 14:42:08,298:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1560
strict-transport-security: max-age=604800
boulder-request-id: PTDvueycma_8RDtRxrWbb5vvYd2SphBEEkJb4ubxNgA
expires: Tue, 11 Jul 2017 14:42:08 GMT
server: nginx
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 11 Jul 2017 14:42:08 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: EcOzZwD5pJc2COmYoZvVrX4oQhNWUDrUbythx5Sd88Q

{
  "identifier": {
    "type": "dns",
    "value": "rbejar.cps.unizar.es"
  },
  "status": "invalid",
  "expires": "2017-07-18T14:41:54Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053575",
      "token": "veA6RVMaQ914xSBC_k9jS__jvR-ZIz42vK-IzbFemaI"
    },
    {
      "type": "tls-sni-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "CAA record for rbejar.cps.unizar.es prevents issuance",
        "status": 400
      },
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053576",
      "token": "XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI",
      "keyAuthorization": "XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI.cqubD6uj_uI9JTFDJQHZfXoARM3jVB-w1G40F0-Vlew",
      "validationRecord": [
        {
          "hostname": "rbejar.cps.unizar.es",
          "port": "443",
          "addressesResolved": [
            "155.210.158.97"
          ],
          "addressUsed": "155.210.158.97",
          "addressesTried": []
        }
      ]
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053580",
      "token": "bQd8YxAyXjkjN1WmFmX4Du1QL9MLIr4XwIY5asZB59A"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      0
    ],
    [
      1
    ]
  ]
}
2017-07-11 14:42:08,305:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: rbejar.cps.unizar.es
Type:   connection
Detail: CAA record for rbejar.cps.unizar.es prevents issuance

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Ad
ditionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the cl
ient. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-07-11 14:42:08,307:INFO:certbot.auth_handler:Cleaning up challenges
2017-07-11 14:42:09,937:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/rbejar.cps.unizar.es.conf produced an unexpected error
: Failed authorization procedure. rbejar.cps.unizar.es (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the do
main :: CAA record for rbejar.cps.unizar.es prevents issuance. Skipping.
2017-07-11 14:42:09,945:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 413, in handle_renewal_request
    main.obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 103, in _auth_from_available
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 296, in renew_cert
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. rbejar.cps.unizar.es (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client 
to verify the domain :: CAA record for rbejar.cps.unizar.es prevents issuance

2017-07-11 14:42:09,948:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 655, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

I have run out of ideas to try. Any suggestions?

Thanks in advance,

Rubén

$ dig caa unizar.es @8.8.8.8

; <<>> DiG 9.10.3-P4-Ubuntu <<>> caa unizar.es @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23858
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;unizar.es.                     IN      CAA

;; ANSWER SECTION:
unizar.es.              86399   IN      CAA     0 iodef "mailto:hostmaster@unizar.es"
unizar.es.              86399   IN      CAA     0 issue "digicert.com"

;; Query time: 71 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 11 19:52:55 CEST 2017
;; MSG SIZE  rcvd: 115

Somebody don’t want let’s encrypt certificates on that domain.

3 Likes

Thanks!

It seems I will have to talk to the domain admins, or to get a different domain :-/

Rubén

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.