Hi,
I know this is a common question, but I have looked at previous answers and they do not seem to help me.
I have a renewal failure in a small (raspberry-pi, with Raspbian), personal web server (Apache 2.4.10). I have been using and renewing Let’s Encrypt certificates flawlessly for that server for a year and a half now.
Certbot version: 0.10.2
The command (run via ssh in that server):
$ sudo certbot renew
The output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/rbejar.cps.unizar.es.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for rbejar.cps.unizar.es
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/rbejar.cps.unizar.es.conf produced an unexpected error: Failed authorization procedure. rbejar.cps.unizar.es (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: CAA record for rbejar.cps.unizar.es prevents issuance. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/rbejar.cps.unizar.es/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: rbejar.cps.unizar.es
Type: connection
Detail: CAA record for rbejar.cps.unizar.es prevents issuance
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
The server is behind a router. The port 443 is open in the router (the server is working right, I can connect with https from my web browser). There is not any other firewall (software or hardware).
I have tried also with the webroot and standalone plugins (opening the port 80, stopping the web server for the latter) but I receive similar answers.
The domain server rbejar.cps.unizar.es (the certificate is issued to that name) is a CNAME entry in the DNS, but AFAIK it has been so for all the time I have been using Let’s Encrypt.
These are the contents of /var/log/letsencrypt/letsencrypt.log (the addressResolved in there is right, that is the IP):
2017-07-11 14:41:49,578:DEBUG:certbot.main:Root logging level set at 20
2017-07-11 14:41:49,584:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-07-11 14:41:49,590:DEBUG:certbot.main:certbot version: 0.10.2
2017-07-11 14:41:49,590:DEBUG:certbot.main:Arguments: []
2017-07-11 14:41:49,595:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginE
ntryPoint#manual,PluginEntryPoint#standalone)
2017-07-11 14:41:49,654:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2017-07-11 14:41:49,711:DEBUG:parsedatetime:CRE_UNITS matched
2017-07-11 14:41:49,715:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2017-07-11 14:41:49,715:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2017-07-11 14:41:49,716:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2017-07-11 14:41:49,716:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2017, tm_mon=7, tm_mday=11, tm_hour=14, tm_min=41, tm_sec=49, tm_wd
ay=1, tm_yday=192, tm_isdst=0))
2017-07-11 14:41:49,717:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2017-07-11 14:41:49,718:DEBUG:parsedatetime:units days --> realunit days
2017-07-11 14:41:49,718:DEBUG:parsedatetime:return
2017-07-11 14:41:49,719:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-07-31 09:10:00 UTC.
2017-07-11 14:41:49,719:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2017-07-11 14:41:49,851:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2017-07-11 14:41:53,353:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x73b3ebb0>
Prep: True
2017-07-11 14:41:53,369:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x73b3ebb0>
Prep: True
2017-07-11 14:41:53,371:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.configurator.ApacheConfigurator object at 0x73b3ebb0> and inst
aller <certbot_apache.configurator.ApacheConfigurator object at 0x73b3ebb0>
2017-07-11 14:41:53,564:DEBUG:certbot.main:Picked account: <Account(64cdccec186078534c46e504b1b6c8f2)>
2017-07-11 14:41:53,577:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-07-11 14:41:53,597:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-07-11 14:41:54,167:DEBUG:urllib3.connectionpool:"GET /directory HTTP/1.1" 200 352
2017-07-11 14:41:54,171:DEBUG:acme.client:Received response:
HTTP 200
content-length: 352
strict-transport-security: max-age=604800
boulder-request-id: u8e1OvW98k_64InXmdpt-EoHGFtXQJnAKOWN2VYarjA
expires: Tue, 11 Jul 2017 14:41:54 GMT
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 11 Jul 2017 14:41:54 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: Aic7jsZaaGuZ7Jw_nhbvd13Z1m7sEi6YuxsnVnW11lU
{
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-07-11 14:41:54,173:INFO:certbot.main:Renewing an existing certificate
2017-07-11 14:41:54,176:DEBUG:root:Requesting fresh nonce
2017-07-11 14:41:54,177:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-07-11 14:41:54,376:DEBUG:urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2017-07-11 14:41:54,380:DEBUG:acme.client:Received response:
HTTP 405
content-length: 91
allow: POST
boulder-request-id: KZqgrvmaEnSBw1kSvZYdkW8HUERRrdh7MdNNv-Q5H5s
expires: Tue, 11 Jul 2017 14:41:54 GMT
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 11 Jul 2017 14:41:54 GMT
content-type: application/problem+json
replay-nonce: OboEjWzXnJFwZ7SF1y9tUWMRCkdkr0yq4Rq0-UbRfoY
2017-07-11 14:41:54,381:DEBUG:acme.client:Storing nonce: OboEjWzXnJFwZ7SF1y9tUWMRCkdkr0yq4Rq0-UbRfoY
2017-07-11 14:41:54,387:DEBUG:acme.client:JWS payload:
{
"identifier": {
"type": "dns",
"value": "rbejar.cps.unizar.es"
},
"resource": "new-authz"
}
2017-07-11 14:41:54,453:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
"header": {
"alg": "RS256",
"jwk": {
"e": "AQAB",
"kty": "RSA",
"n": "2tPXHiobTy5FGOMxld_IU9buMSbqrDtTro7oDfW5Gd_x_ov3IJWixAv9LLGMNykqvn64ExDVcdLVDry_1fTIR1GxJjkEC5lwrUcsMoIJg5rCu5HBY0Xj8GfhzO0o3s7t_94U6W6bE8-c_33Yl
G1D7OltVOTaHN57uEqygEETpT0jT03joM5X3ffEOmWMw9QDtAJ96awra67t3OiYJ80vcDk-Y5QHBYOHBIgsmnDVptqxLoKmP2jNbh3WyHf_10Q_PgXNC7kLJ62T7n-E9FuVyYHQ--_vGqLiyvXWtN77Aftoh3
FTjStEhWRIi--aWCz5E5Zs4FzCshnNGUYYqF-8Fw"
}
},
"protected": "eyJub25jZSI6ICJPYm9Fald6WG5KRndaN1NGMXk5dFVXTVJDa2RrcjB5cTRScTAtVWJSZm9ZIn0",
"payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAicmJlamFyLmNwcy51bml6YXIuZXMiCiAgfSwgCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiI
KfQ",
"signature": "MdsiUqS_6lklBw-snbR7I5Kkl9E3GFwXIvbWvrs1ybwZzNH2jrxmdYX_5Y3WScgkdmsjpHz9gu7xe-tVCWm-G3X330WklC37QKhnm1Fw_lguzUQFNqTOVt2NrDFLu_xA5v91HspKRh2gb
L6yrgpIrp_tIs5tzBgPwZN7qTTjrom6_SO4R5GXWsl-SidZ0o7NBBYq6vXVqPoC17oQO3cjfHGoFbh-1dugjzGlJ4G1YgdSdEzuprX3nn2YxVBv4zmvXk6gnllOWn0FCqO11Uin1aRqHasfDDl61jCToLRKar
YZ8FEzbVgGDCVHofR0utdtrO4MONxh1eoPxkUQhqJ2Pg"
}
2017-07-11 14:41:55,108:DEBUG:urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1008
2017-07-11 14:41:55,121:DEBUG:acme.client:Received response:
HTTP 201
content-length: 1008
strict-transport-security: max-age=604800
boulder-request-id: e1ektYPMjIsQoh8w7-Ny--FUYizmiv7oRVnQpF4R-_E
boulder-requester: 913211
expires: Tue, 11 Jul 2017 14:41:55 GMT
server: nginx
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
location: https://acme-v01.api.letsencrypt.org/acme/authz/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 11 Jul 2017 14:41:55 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 6kw2HCKHdXAQpl6pqGXCreKsgMJRZtEzlEG-aT1kym0
{
"identifier": {
"type": "dns",
"value": "rbejar.cps.unizar.es"
},
"status": "pending",
"expires": "2017-07-18T14:41:54.686028251Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053575",
"token": "veA6RVMaQ914xSBC_k9jS__jvR-ZIz42vK-IzbFemaI"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053576",
"token": "XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053580",
"token": "bQd8YxAyXjkjN1WmFmX4Du1QL9MLIr4XwIY5asZB59A"
}
],
"combinations": [
[
2
],
[
0
],
[
1
]
]
}
2017-07-11 14:41:55,122:DEBUG:acme.client:Storing nonce: 6kw2HCKHdXAQpl6pqGXCreKsgMJRZtEzlEG-aT1kym0
2017-07-11 14:41:55,127:INFO:certbot.auth_handler:Performing the following challenges:
2017-07-11 14:41:55,128:INFO:certbot.auth_handler:tls-sni-01 challenge for rbejar.cps.unizar.es
2017-07-11 14:41:57,727:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2017-07-11 14:41:57,735:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName cd35c4763f4853a5bace23c9f7311f08.5b56386d401b0df25aef5f6f14435f61.acme.invalid
UseCanonicalName on
SSLStrictSNIVHostCheck on
LimitRequestBody 1048576
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /var/lib/letsencrypt/XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI.crt
SSLCertificateKeyFile /var/lib/letsencrypt/XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI.pem
DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/
</VirtualHost>
</IfModule>
2017-07-11 14:41:57,871:DEBUG:certbot.reverter:Creating backup of /etc/apache2/apache2.conf
2017-07-11 14:42:01,788:INFO:certbot.auth_handler:Waiting for verification...
2017-07-11 14:42:01,791:DEBUG:acme.client:JWS payload:
{
"keyAuthorization": "XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI.cqubD6uj_uI9JTFDJQHZfXoARM3jVB-w1G40F0-Vlew",
"type": "tls-sni-01",
"resource": "challenge"
}
2017-07-11 14:42:01,856:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/15
24053576:
{
"header": {
"alg": "RS256",
"jwk": {
"e": "AQAB",
"kty": "RSA",
"n": "2tPXHiobTy5FGOMxld_IU9buMSbqrDtTro7oDfW5Gd_x_ov3IJWixAv9LLGMNykqvn64ExDVcdLVDry_1fTIR1GxJjkEC5lwrUcsMoIJg5rCu5HBY0Xj8GfhzO0o3s7t_94U6W6bE8-c_33Yl
G1D7OltVOTaHN57uEqygEETpT0jT03joM5X3ffEOmWMw9QDtAJ96awra67t3OiYJ80vcDk-Y5QHBYOHBIgsmnDVptqxLoKmP2jNbh3WyHf_10Q_PgXNC7kLJ62T7n-E9FuVyYHQ--_vGqLiyvXWtN77Aftoh3
FTjStEhWRIi--aWCz5E5Zs4FzCshnNGUYYqF-8Fw"
}
},
"protected": "eyJub25jZSI6ICI2a3cySENLSGRYQVFwbDZwcUdYQ3JlS3NnTUpSWnRFemxFRy1hVDFreW0wIn0",
"payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIlhBaU95RTJvU21yU1AtS2pvZlN6MXRjY3piajZFS21tdDBTRjhMQmw1ZUkuY3F1YkQ2dWpfdUk5SlRGREpRSFpmWG9BUk0zalZCLXcxRzQwRjA
tVmxldyIsIAogICJ0eXBlIjogInRscy1zbmktMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9",
"signature": "rMzAKSc5uxKg2c6dFFdtn92RYltBWSrqS0A_qDsL432QNl6-kkKXvEbTPBfYZASCG4YRxCHOVLlSCXjrMAfRzgevR1563XF9zIU5bd8SCELEPfQZ7E8e-HNp19G-0MjHaWbHMx7ucLiMW
DO9G7BYkEghlikcVhT8XWQDSZTL9V-0R3g9RvM0PTAqJVAnr2p5Zl75V-LSEeEAaZ7dhJm1VcG_FoZDQR1ZkNeNYqBiLugovg6qrIV8XjJ5tSes40y7yvVn8ynhAmAQuIxFUTr2UjdYV43qXh5eVSVnZ4lJ7j
KkT8R8-crS5m_zuWPncMRntVK1TMnEDq0yjNItVOe4Vw"
}
2017-07-11 14:42:04,899:DEBUG:urllib3.connectionpool:"POST /acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053576 HTTP/1.1" 202 339
2017-07-11 14:42:04,903:DEBUG:acme.client:Received response:
HTTP 202
content-length: 339
boulder-request-id: VYJULOMZWq5mjz3bABFtLsyKOHbMSStrzsbn3kgB76M
boulder-requester: 913211
expires: Tue, 11 Jul 2017 14:42:04 GMT
server: nginx
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/authz/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw>;rel="up"
location: https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053576
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 11 Jul 2017 14:42:04 GMT
content-type: application/json
replay-nonce: 0DhFUhpQQJg4_6YlT-PsprdpeiG3WcoAUBkpmnxYecc
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053576",
"token": "XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI",
"keyAuthorization": "XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI.cqubD6uj_uI9JTFDJQHZfXoARM3jVB-w1G40F0-Vlew"
}
2017-07-11 14:42:04,904:DEBUG:acme.client:Storing nonce: 0DhFUhpQQJg4_6YlT-PsprdpeiG3WcoAUBkpmnxYecc
2017-07-11 14:42:07,910:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw.
2017-07-11 14:42:08,293:DEBUG:urllib3.connectionpool:"GET /acme/authz/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw HTTP/1.1" 200 1560
2017-07-11 14:42:08,298:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1560
strict-transport-security: max-age=604800
boulder-request-id: PTDvueycma_8RDtRxrWbb5vvYd2SphBEEkJb4ubxNgA
expires: Tue, 11 Jul 2017 14:42:08 GMT
server: nginx
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 11 Jul 2017 14:42:08 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: EcOzZwD5pJc2COmYoZvVrX4oQhNWUDrUbythx5Sd88Q
{
"identifier": {
"type": "dns",
"value": "rbejar.cps.unizar.es"
},
"status": "invalid",
"expires": "2017-07-18T14:41:54Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053575",
"token": "veA6RVMaQ914xSBC_k9jS__jvR-ZIz42vK-IzbFemaI"
},
{
"type": "tls-sni-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:connection",
"detail": "CAA record for rbejar.cps.unizar.es prevents issuance",
"status": 400
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053576",
"token": "XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI",
"keyAuthorization": "XAiOyE2oSmrSP-KjofSz1tcczbj6EKmmt0SF8LBl5eI.cqubD6uj_uI9JTFDJQHZfXoARM3jVB-w1G40F0-Vlew",
"validationRecord": [
{
"hostname": "rbejar.cps.unizar.es",
"port": "443",
"addressesResolved": [
"155.210.158.97"
],
"addressUsed": "155.210.158.97",
"addressesTried": []
}
]
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/WIgufrMv0f0ntd2oNAdvoRE0NGKDeovCVWwRcE4Mycw/1524053580",
"token": "bQd8YxAyXjkjN1WmFmX4Du1QL9MLIr4XwIY5asZB59A"
}
],
"combinations": [
[
2
],
[
0
],
[
1
]
]
}
2017-07-11 14:42:08,305:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: rbejar.cps.unizar.es
Type: connection
Detail: CAA record for rbejar.cps.unizar.es prevents issuance
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Ad
ditionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the cl
ient. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-07-11 14:42:08,307:INFO:certbot.auth_handler:Cleaning up challenges
2017-07-11 14:42:09,937:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/rbejar.cps.unizar.es.conf produced an unexpected error
: Failed authorization procedure. rbejar.cps.unizar.es (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the do
main :: CAA record for rbejar.cps.unizar.es prevents issuance. Skipping.
2017-07-11 14:42:09,945:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 413, in handle_renewal_request
main.obtain_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 103, in _auth_from_available
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 296, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
self._respond(resp, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
self._poll_challenges(chall_update, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. rbejar.cps.unizar.es (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client
to verify the domain :: CAA record for rbejar.cps.unizar.es prevents issuance
2017-07-11 14:42:09,948:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 655, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
I have run out of ideas to try. Any suggestions?
Thanks in advance,
Rubén