Renewing certificate for "problem domain" fails challenge

snuckyr · December 18, 2020, 3:15pm

I am trying to renew the cert for https://shop.agit-global.com/
This is the same domain which gave me endless trouble back in October until a signing request finally ended up going through:
During secondary validation: DNS problem: SERVFAIL looking up A for - the domain's nameservers may be malfunctioning
There are several other sites on the server which all renewed the cert just fine. This one has until 1/5 so it's coming uncomfortably close.

Thanks for the help!!

I ran this command:

ubuntu@sv3:~$ sudo su
root@sv3:/home/ubuntu# /usr/local/letsencrypt/letsencrypt-auto -q renew

It produced this output:

Your system is not supported by certbot-auto anymore.
Certbot will no longer receive updates.
Please visit https://certbot.eff.org/ to check for other alternatives.
Challenge failed for domain shop.agit-global.com
Attempting to renew cert (shop.agit-global.com) from /etc/letsencrypt/renewal/shop.agit-global.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/shop.agit-global.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version):

    #apache2 -v
    Server version: Apache/2.4.29 (Ubuntu)
    Server built:   2020-08-12T21:33:25

The operating system my web server runs on is (include version):

Description:    Ubuntu 18.04.5 LTS
Release:        18.04
Codename:       bionic

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

# /usr/local/letsencrypt/letsencrypt-auto --version
Your system is not supported by certbot-auto anymore.
Certbot will no longer receive updates.
Please visit https://certbot.eff.org/ to check for other alternatives.
certbot 1.9.0

JuergenAuer · December 18, 2020, 5:26pm

Hi @snuckyr

please read your error message

and switch to another client.

The error message has all required informations.

Osiris · December 18, 2020, 5:43pm

@JuergenAuer The deprecation of certbot-auto does not generate a challenge error.

@snuckyr There should have been a more verbose error about why the challenge has failed. Try renewing again without the -q option please, so you can read the entire error message.

snuckyr · December 18, 2020, 5:47pm

@JuergenAuer Thanks for the reply. I did notice the error message. It's just very strange that the other certificate which are installed on the server, have no problems.

@Osiris i removed the output for the other domains which do not require renewal

# /usr/local/letsencrypt/letsencrypt-auto  renew
Your system is not supported by certbot-auto anymore.
Certbot will no longer receive updates.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/shop.agit-global.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for shop.agit-global.com
Waiting for verification...
Challenge failed for domain shop.agit-global.com
http-01 challenge for shop.agit-global.com
Cleaning up challenges
Attempting to renew cert (shop.agit-global.com) from /etc/letsencrypt/renewal/shop.agit-global.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: shop.agit-global.com
   Type:   dns
   Detail: No valid IP addresses found for shop.agit-global.com

I suppose the last line ("No valid IP addresses found for shop.agit-global.com") is the culprit here. I had the same problem the last time I originally tried to issue a certificate for this domain:

The registrar for this domain is a Taiwanese company. Not sure if this has something to do with it...

snuckyr · December 18, 2020, 5:57pm

cert-renewal-trim.txt (20.6 KB)

here's the actual log file located at /var/log/letsencrypt/letsencrypt.log. I removed the bits for the other domains

JuergenAuer · December 18, 2020, 5:57pm

But you use a Letsencrypt certificate? How did you create that?

Rereading your old check - https://check-your-website.server-daten.de/?q=shop.agit-global.com - is it really required to have 6 name servers?

Sometimes that produces so much checks, so Unbound has something like a timeout -> ServFail.

See the Unboundtest output - https://unboundtest.com/m/A/shop.agit-global.com/5OUV6IFH

Result ServFail, but no single ServFail answer, only a long list of answers.

Conclusion: That dns provider has a buggy system -> switch to another dns provider or use another CA.

snuckyr · December 18, 2020, 6:03pm

I will reach out to the client. Unfortunately, we are not authorized to control the domain's DNS. I wish we were!

The command for the initial cert creation was

/usr/local/letsencrypt/letsencrypt-auto --apache -d shop.agit-global.com

I had a lot of verification errors and was told to keep trying in the other ticket. Eventually it did end up working

Osiris · December 18, 2020, 6:14pm

@snuckyr I can resolve your domain name to a valid IP address, perhaps it's just as simple as to try again and hope it works this time.

It looks like Unboundtest can resolve your domain too: https://unboundtest.com/m/A/shop.agit-global.com/6XO6XRJR

By the way, your DNS hoster doesn't specify any authorative nameservers for your domain. See the warning on: https://dnsviz.net/d/shop.agit-global.com/dnssec/

JuergenAuer · December 18, 2020, 6:17pm

I see the next ServFail:

https://unboundtest.com/m/A/shop.agit-global.com/Q2VO4J5J

Sounds like some name servers work, some not.

Osiris · December 18, 2020, 6:21pm

Quite strange, as all three nameservers reported by the .com. TLD seem to work when I tested them with dig.. It's unfortunate that the Unbound logs are soooooo utterly incomprehensive.

JuergenAuer · December 18, 2020, 6:33pm

Now checked 4 times with Unboundtest: First NoError, then 3 ServFail.

May be there is a name server firewall that blocks too much queries.

Osiris · December 18, 2020, 6:39pm

While this might be happening, I'm not very convinced this is the case here. I'm currently running while true; do dig -4 @ns02.idc.hinet.net. +norecurse +dnssec shop.agit-global.com; done for all three DNS servers in multiple terminal windows (three per NS) and even after a few minutes of DNS spamming the servers, I'm still only seeing NOERROR status messages.

Also, Unboundtest is reporting NOERROR too again: https://unboundtest.com/m/A/shop.agit-global.com./635EZOBP (just ran this one)

And the next one is failing again: https://unboundtest.com/m/A/shop.agit-global.com/WH6JR5NV

Sigh..

snuckyr · December 23, 2020, 3:17pm

Hey guys, I was getting nowhere with the DNS registrar so I went ahead and grabbed an SSL cert from another vendor. Not really what I wanted to do but with the pending renewal looming I basically had to. At least all my other sites continue to use Lets Encrypt and are working flawlessly. Thanks so much to @Osiris and @JuergenAuer for your support: It is VERY much appreciated