SSL certifcate not renewed

Hi Team,

SSL certificate was not renewed and I am able to see the below errors in letsencrypt logs
My domain is: www.icds-cas.gov.in

It produced this error in logs:

2019-11-06 00:49:33,151:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 430, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1197, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 115, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. icds-cas.gov.in (http-01): urn:ietf:params:acme:error:caa :: CAA record for icds-cas.gov.in prevents issuance, www.icds-cas.gov.in (http-01): urn:ietf:params:acme:error:caa :: CAA record for www.icds-cas.gov.in prevents issuance

2019-11-06 00:49:33,152:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-11-06 00:49:33,153:ERROR:certbot.renewal: /etc/letsencrypt/live/www.icds-cas.gov.in/fullchain.pem (failure)
2019-11-06 00:49:33,153:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.26.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1276, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 455, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 14.04

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.26.1

Thanks,
Sanjay

1 Like

You have CAA records that prohibit Let’s Encrypt from issuing certificates for your domain.

You should add a CAA entry to your DNS to permit this. Since this is a government domain you may need to contact your network administrator to have this added.

1 Like

Hi @sanjay2916

checking your domain there you see the problem - https://check-your-website.server-daten.de/?q=icds-cas.gov.in#caa

in

That entry says: Nobody is allowed to create a certificate with icds-cas.gov.in or a subdomain.

So

  • remove that entry (or)
  • change the value to letsencrypt.org, so Letsencrypt is allowed to create certificates.
1 Like

It looks as if the “company” has set that policy to ensure that no one can create certs for that domain. That’s a wonderful security step!
The bad news is that policy ensures that no one can create certs for that domain.
[not even someone from that same “company”, required to update expiring certs]

Perhaps there could be a DNS plugin (addon) to create TXT records and also update CAA records.

Although a bit more complicated than disposable TXT records…

  • save existing CAA record
  • add LE to CAA record
  • use
  • revert to saved CAA record

It could be useful as an added lock and key to cert issuance.
[but nothing comes without its’ challenges - like: How can two systems use this same method at the same time for the same domain?]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.