Renewal fails for single domain

Hi!

Certificate renewal started failing for for a single domain (all others renewed fine) using:

/root/bin/certbot-auto certonly --webroot -w (DIR) -d (DOMAIN) -d (DOMAIN) --expand -n

stating

FailedChallenges: Failed authorization procedure. (DOMAIN) (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching (DOMAIN)/.well-known/acme-challenge/2LmU4zy35QRIcmbR_vjWNVk0O0sMcTCHrt_M09t3d7g: Error getting validation data

Performing a dry-run using the exact same command succeeds.

When creating a file in (WEBROOT)/.well-known/acme-challenge/ I can reach it just fine when using a web browser.

Requests to port 80 and to the domain without “www.” are all directed to the SSL-version on port 443. The certificate there currently is still valid.

Any hints/advice on what could be wrong? Please let me know if you need more information.

Hi @taalas,

It is hard to know what is going on without your domain name. Maybe your domain has an AAAA record but your web server is not configured correctly to answer IPv6 requests... who knows.

As I said, if you provide your domain name and a test file in .well-known/acme-challenge/ we can try to test it.

Maybe it is because you already validated the domain in the last 30 days so the validation is cached on staging server side so no need to reach your server to validate it.

Cheers,
sahsanu

Hi @sahsanu

Thanks for your reply.

The domain in question is www.kfo-donaueschingen.de

A test file is reachable at

https://www.kfo-donaueschingen.de/.well-known/acme-challenge/test.html

We are using the command

certbot-auto certonly --webroot -w {path} -d www.kfo-donaueschingen.de -d kfo-donaueschingen.de --expand -n

Which results in the following output

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.kfo-donaueschingen.de
http-01 challenge for kfo-donaueschingen.de
Using the webroot path {path} for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory {path}/.well-known/acme-challenge
Failed authorization procedure. kfo-donaueschingen.de (http-01): urn:acme:error:connection :: The server could not 
connect to the client to verify the domain :: Fetching http://www.kfo-donaueschingen.de/.well-known/acme-
challenge/_L2IjE5lpZeu-q1usDrOGh4IvfBA10wWryV9ZfoRHjY: Error getting validation data

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: kfo-donaueschingen.de
   Type:   connection
   Detail: Fetching
   http://www.kfo-donaueschingen.de/.well-known/acme-challenge/_L2IjE5lpZeu-q1usDrOGh4IvfBA10wWryV9ZfoRHjY:
   Error getting validation data

I will gladly provide a debug log. Would it be better to upload it to a pastebin instead of posting here?

Hi @taalas,

The only problem I can see is that the DNS servers for domain kfo-donaueschingen.de are:

dns01.docmedicus.com
dns03.docmedicus.com

But these DNS servers are saying the DNS servers for your domain are:

nsb0.schlundtech.de
nsc0.schlundtech.de
nsd0.schlundtech.de

and these DNS servers refused to answer for queries to your domain:

$ dig @nsb0.schlundtech.de kfo-donaueschingen.de  +nodnss +norecur

; <<>> DiG 9.9.7 <<>> @nsb0.schlundtech.de kfo-donaueschingen.de +nodnss +norecur
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 39494
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;kfo-donaueschingen.de.         IN      A

;; Query time: 67 msec
;; SERVER: 83.169.55.10#53(83.169.55.10)
;; WHEN: mi. ago. 23 10:52:57 RDT 2017
;; MSG SIZE  rcvd: 50

Try to fix the DNS issues and then try again to issue a certificate for your domains.

Cheers,
sahsanu

Hi @sahsanu,

problems are resolved. There was indeed something wrong with our DNS.

Thanks!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.