[SOLVED] Renewal whines every 90 days! DNS error without a reason!


#1

I am posting as @bmw advised me to report my issue that whines me every 90 days during renewal. The output is posted at https://pastebin.com/WKTJWcAX

All DNS entries are pointed to the right IPs, yet LE server reports DNS error. It has been happening for many a times in the past, and it started working all of a sudden. But not this time.

Any inputs appreciated.

Cheers,
/z


#2

The output you’ve posted has nothing to do with the DNS entries; the Let’s Encrypt servers are able to resolve them just fine. The problem is that internationaluniversityofsweden.net and internationaluniversityofsweden.com were refusing connections from the Let’s Encrypt servers. Whether that would still be the case now, I don’t know; they respond for me:

[root@neth-backup ~]# curl internationaluniversityofsweden.net
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@neth-backup ~]# curl internationaluniversityofsweden.com
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>

#3

Let’s Encrypt is resolving your DNS just fine; it just can’t connect to your server. But I am unable to reproduce any connectivity issues with the affected domain.

Is it possible that this domain is running some sort of firewall, anti-virus, or other security software that is detecting the automated requests from the Let’s Encrypt validation servers and blocking them?


#4

curl www.internationaluniversityofsweden.com

it will show the output . I think something wrong with drupal config .


#5

Thanks for taking time to explore.

As you can see in my log, I tried by stopping the nginx server and executing letsencrypt server in standalone mode.

I copied the header from the pastebin for clarity:

  1. First I stopped the nginx not to involve nginx or drupal while fetching/renewing the certs:

# service nginx stop

  1. Then certbot was run in ‘certonly’ standalone mode without involving anything except the official LE client:

# /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@internationaluniversityofsweden.org --domains internationaluniversityofsweden.org --domains www.internationaluniversityofsweden.org --domains internationaluniversityofsweden.com --domains www.internationaluniversityofsweden.com --domains internationaluniversityofsweden.net --domains www.internationaluniversityofsweden.net --domains ius-siu.se --domains www.ius-siu.se --domains iunis.se --domains www.iunis.se --domains iuni.se --domains www.iuni.se --webroot-path /usr/local/ispconfig/interface/acme

Thus, there is neither nginx involved nor drupal confs. There is something else, I guess.

Cheers,
/z


#6

I can’t see that in the log you posted; all I can see is the command you ran to try to get the cert. But if you’d stopped your web server before running that command, that would explain your problem–the command you post did not invoke standalone mode, but webroot mode, which requires a running web server. Either try the same command with nginx running, or change the command to use standalone mode.


#7

It does not seem to be the case. The servers are behind shorewall which allows 80 and 443 traffic to the relevant servers without any conditions. antivirus is not enabled for http/s transactions.


#8

I think you are invoking Certbot the wrong way.

--authenticator webroot implies that you have a web server running already, that will serve files from the nominated webroot. But you stopped nginx, so that can’t be the case. If you want Certbot to be the web server, then you need to use --authenticator standalone and skip the webroot optins.

Let me know if I misinterpreted your post.


#9

I have the same results with nginx running too.

# service nginx start
# /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@internationaluniversityofsweden.org  --domains internationaluniversityofsweden.org --domains www.internationaluniversityofsweden.org --domains internationaluniversityofsweden.com --domains www.internationaluniversityofsweden.com --domains internationaluniversityofsweden.net --domains www.internationaluniversityofsweden.net --domains ius-siu.se --domains www.ius-siu.se --domains iunis.se --domains www.iunis.se --domains iuni.se --domains www.iuni.se --webroot-path /usr/local/ispconfig/interface/acme
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
....
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: internationaluniversityofsweden.com
   Type:   unauthorized
   Detail: Invalid response from
   http://internationaluniversityofsweden.com/.well-known/acme-challenge/SA2lJHYqqlnGH5bAyYLxVKMBndO8IdBRm0eGo0Wziv4:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: internationaluniversityofsweden.net
   Type:   unauthorized
   Detail: Invalid response from
   http://internationaluniversityofsweden.net/.well-known/acme-challenge/jYlX2KIzw4mLaRaVdfKgNKvcdmPYr3ZkRBdQdtBpIJg:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

#10

It’s a completely different error, that indicates that your nominated webroot is not actually the webroot for all of those domains.

Try this to run in true standalone mode (it will stop and start nginx for you):

/usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator standalone --pre-hook "service nginx stop" --post-hook "service nginx start" --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@internationaluniversityofsweden.org  --domains internationaluniversityofsweden.org --domains www.internationaluniversityofsweden.org --domains internationaluniversityofsweden.com --domains www.internationaluniversityofsweden.com --domains internationaluniversityofsweden.net --domains www.internationaluniversityofsweden.net --domains ius-siu.se --domains www.ius-siu.se --domains iunis.se --domains www.iunis.se --domains iuni.se --domains www.iuni.se 

#11

Thanks for the pointer, my oversight.


#12

I replaced the nginx directives to:

    location / {
    try_files $uri /index.php?$query_string;
    }

    location @rewrite {
               rewrite ^/(.*)$ /index.php?q=$1;
        }
    location ~ ^/sites/.*/files/styles/ {
               try_files $uri @rewrite;
        }

    location ~ ^(/[a-z\-]+)?/system/files/ {
        try_files $uri /index.php?$query_string;
        }

The certificate got renewed as of below:

# /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@internationaluniversityofsweden.org  --domains internationaluniversityofsweden.org --domains www.internationaluniversityofsweden.org --domains internationaluniversityofsweden.com --domains www.internationaluniversityofsweden.com --domains internationaluniversityofsweden.net --domains www.internationaluniversityofsweden.net --domains ius-siu.se --domains www.ius-siu.se --domains iunis.se --domains www.iunis.se --domains iuni.se --domains www.iuni.se --webroot-path /usr/local/ispconfig/interface/acme
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for internationaluniversityofsweden.org
http-01 challenge for www.internationaluniversityofsweden.org
http-01 challenge for internationaluniversityofsweden.com
http-01 challenge for www.internationaluniversityofsweden.com
http-01 challenge for internationaluniversityofsweden.net
http-01 challenge for www.internationaluniversityofsweden.net
http-01 challenge for ius-siu.se
http-01 challenge for www.ius-siu.se
http-01 challenge for iunis.se
http-01 challenge for www.iunis.se
http-01 challenge for iuni.se
http-01 challenge for www.iuni.se
Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
Generating key (4096 bits): /etc/letsencrypt/keys/0206_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0206_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/internationaluniversityofsweden.org/fullchain.pem.
   Your cert will expire on 2018-05-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Thereafter reverted back the nginx directives to the original to make it work.

Thanks everyone for invaluable and prompt inputs.

Cheers,
/z