Solved: Error renewing SAN certificate from LE after removing domain

openprivacy · January 9, 2022, 10:45pm

I removed this domain from a SAN

It produced this output: msg="Error renewing certificate from LE: {openprivacy.org [openprivacy.net www.openprivacy.org www.openprivacy.net]}, error: one or more domains had a problem:\n[reputation.org] acme: error: 400 :: urn:ietf:params:acme:error:dns :: No valid IP addresses found for reputation.org\n[www.reputation.org] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.reputation.org - check that a DNS record exists for this domain\n"

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): Ubuntu 20.04.3 LTS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme-v02.api

openprivacy · January 9, 2022, 11:57pm

Though using the Traefik tool, I believe this may be a LetsEncrypt cacheing issue?

I have had Traefik v1.7 that uses the acme LetsEncrypt renewal engine running for years (thank you!). My traefik.toml file contained these lines:

[[acme.domains]]
   main = "openprivacy.org"
-  sans = ["www.openprivacy.org", "openprivacy.net", "www.openprivacy.net", "reputation.org", "www.reputation.org"]

I am preparing to sell reputation.org so I have removed its IP and changed the 'sans' line above to:

- sans = ["www.openprivacy.org", "openprivacy.net", "www.openprivacy.net"]

I rebuilt the containers but the certs are not renewing and LE is complaining (see initial post). Do I just have to wait for some time period for this to update? This is a bit of an emergency as the certs expire Jan 11 (and I just found this notice from Dec 31 buried in my email).

Thanks again for a wonderful service!
=Fen

rg305 · January 10, 2022, 12:25am

I can't say with certainty how Traefik "works" but based on the error message shown.
It doesn't seem to be reading that updated file.
Perhaps it is just trying to renew the existing cert (and all the names on it).
If so, then you need to instruct it to get a new cert with less names on it.

openprivacy · January 10, 2022, 12:27am

It was pilot error and was indeed related to Traefik. I still had website aliases for reputation.org and other removed domains that Traefik was picking up, passing to LE and LE was saying (correctly!) there's no IP for that domain.

Once I removed those httpd site aliases and restarted everything, LE (and everything else) all started working again (I have my new certificates - whew!).

Apologies for anyone's time I may have wasted.

system · February 9, 2022, 12:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.