SSL Certificate Renewal with Dubsado

hi,

i've recently setup my website to use dubsado with business workflow management and forms. I currently have a webserver registered with an SSL certificate with LetEncrypt all good so far. I also own the domain for my website.

The setup instructions for dubsado is to create a CNAME record pointing to ssl.dubsado.com. Prior to setting up the CNAME i had it look at my domain so that I could register the CNAME in the new SSL certificate, all renewed and installed on my Apache webserver.

I changed the CNAME to ssl.dubsado.com so far so good everything is working, workflow management and the CNAME in HTTPS.

The issue I am having is when I execute certbot renew --dry-run it fails the test as it cannot validate the CNAME record as its now pointing to dubsado.

How can i get renewal process to renew my certificate that includes my website and the CNAME?

When you create a CNAME you are redirecting your domain to someone else, that means they are the one that need to manage the certificate (not you). You should contact Dubsado support.

1 Like

Thanks webprofusion. The entire domain and www point to my webserver, I’ve just created a cname record called clients pointing to ssl.dubsado.com.

I.e clients.mydomain.com points to ssl.dubsado.com. Mydomain.com and www.mydomain.com point to my webserver. I’ll contact dubsado if how to resolve this?

The issue is that my domain is preloaded in HSTS so I require all of the domain to be in HTTPS. Let me know if there is anything else I can try.

Thanks

1 Like

Please show the complete log file ("/var/log/letsencrypt/letsencrypt.log").
And the renewal config file found in the folder /etc/letsencrypt/renewal/

thanks rg305

below is the output of the letsencrypt.log file from a recent --dry-run test

2021-07-06 10:02:12,061:DEBUG:certbot.main:certbot version: 0.31.0
2021-07-06 10:02:12,061:DEBUG:certbot.main:Arguments: ['--dry-run']
2021-07-06 10:02:12,062:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-07-06 10:02:12,085:DEBUG:certbot.log:Root logging level set at 20
2021-07-06 10:02:12,086:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-07-06 10:02:12,107:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0xb53e3ab0> and installer <certbot.cli._Default object at 0xb53e3ab0>
2021-07-06 10:02:12,107:DEBUG:certbot.cli:Var dry_run=True (set by user).
2021-07-06 10:02:12,108:DEBUG:certbot.cli:Var server={'staging', 'dry_run'} (set by user).
2021-07-06 10:02:12,108:DEBUG:certbot.cli:Var dry_run=True (set by user).
2021-07-06 10:02:12,108:DEBUG:certbot.cli:Var server={'staging', 'dry_run'} (set by user).
2021-07-06 10:02:12,108:DEBUG:certbot.cli:Var account={'server'} (set by user).
2021-07-06 10:02:12,126:INFO:certbot.renewal:Cert not due for renewal, but simulating renewal for dry run
2021-07-06 10:02:12,127:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2021-07-06 10:02:12,345:DEBUG:certbot_apache.configurator:Apache version is 2.4.38
2021-07-06 10:02:12,934:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0xb5434cf0>
Prep: True
2021-07-06 10:02:12,936:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0xb5434cf0>
Prep: True
2021-07-06 10:02:12,937:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0xb5434cf0> and installer <certbot_apache.override_debian.DebianConfirator object at 0xb5434cf0>
2021-07-06 10:02:12,937:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2021-07-06 10:02:12,945:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=ne, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/15151354', new_authzr_uri=None, terms_of_service=None), a83d0d20ba7c5965e696e11455236054, Meta(creation_dt=dateti.datetime(2020, 8, 14, 4, 20, 3, tzinfo=<UTC>), creation_host='WebServer'))>
2021-07-06 10:02:12,947:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2021-07-06 10:02:12,952:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2021-07-06 10:02:13,732:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
2021-07-06 10:02:13,735:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 06 Jul 2021 00:02:13 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert",
  "zYJskf-QL54": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2021-07-06 10:02:13,737:INFO:certbot.main:Renewing an existing certificate
2021-07-06 10:02:14,634:DEBUG:acme.client:Requesting fresh nonce
2021-07-06 10:02:14,634:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2021-07-06 10:02:14,818:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-07-06 10:02:14,819:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 06 Jul 2021 00:02:14 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002q0vmpcU8PGMd3HjffcUAg0OxmtxAClphwZcEqueXmqw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-07-06 10:02:14,820:DEBUG:acme.client:Storing nonce: 0002q0vmpcU8PGMd3HjffcUAg0OxmtxAClphwZcEqueXmqw
2021-07-06 10:02:14,821:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "copybysophie.com.au"\n    },\n    {\n      "type": "dns",\n      "value": "client.copybysophie.com.au"\n    },\n    {\n      "type": "dns",      "value": "www.copybysophie.com"\n    },\n    {\n      "type": "dns",\n      "value": "www.copybysophie.com.au"\n    }\n  ]\n}'
2021-07-06 10:02:14,830:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTE1MTM1NCIsICJub25jZSI6ICIwMDAycTB2bXBjVThQR01kM0hqZmZjVUFnME94bXR4QUNscGh3WmNFcXVlWxdyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "SB5NkjD6kgRETfnNXz5EFZhfgi55BHKZQji1qNog2wXRwjSsyt1deHabK3e27Q5FgCYk0YinoodT4PeJHyYmDfv08V7e53BKcn_amSIXo16v8gRLIYNrZz7sYkcKYaQe6Q5kwsAeHn7MFUsH2q8Z8CxLGABZuEXNxQ7wtoC2QhXFmjZvvliboQgCKooBm2G598LzXTpSVzhVAuSAQqsAE0fnBhmxZ46KAYv_5CgSiKxYoiPfpbD0EVEl611qEfHaWqDLLsyTYegCMhlUY2Q8uMX01nWqLzEjelNUIh5I0dHhEb5MluuXgBXaPvTi0cWz59XISKqdH-f1ps_t8GIg",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImNvcHlieXNvcGhpZS5jb20uYXUiCiAgICB9LAogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAiY2xpZW50LmNvcHlXNvcGhpZS5jb20uYXUiCiAgICB9LAogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAid3d3LmNvcHlieXNvcGhpZS5jb20iCiAgICB9LAogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAid3d3LmNvcHlieXNvcGhpZS5jb2YXUiCiAgICB9CiAgXQp9"
}
2021-07-06 10:02:15,038:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 801
2021-07-06 10:02:15,039:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Tue, 06 Jul 2021 00:02:14 GMT
Content-Type: application/json
Content-Length: 801
Connection: keep-alive
Boulder-Requester: 15151354
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/15151354/94170497
Replay-Nonce: 0002ulsNjO0Q7_n9odizuQ5lpaCwwTkqv7DdJvdCJKV6u0k
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2021-07-13T00:02:14Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "client.copybysophie.com.au"
    },
    {
      "type": "dns",
      "value": "copybysophie.com.au"
    },
    {
      "type": "dns",
      "value": "www.copybysophie.com"
    },
    {
      "type": "dns",
      "value": "www.copybysophie.com.au"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82389994",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82389995",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82389996",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82918331"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/15151354/94170497"
}
2021-07-06 10:02:15,040:DEBUG:acme.client:Storing nonce: 0002ulsNjO0Q7_n9odizuQ5lpaCwwTkqv7DdJvdCJKV6u0k
2021-07-06 10:02:15,040:DEBUG:acme.client:JWS payload:
b''
2021-07-06 10:02:15,049:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82389994:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTE1MTM1NCIsICJub25jZSI6ICIwMDAydWxzTmpPMFE3X245b2RpenVRNWxwYUN3d1RrcXY3RGRKdmRDSktWNwayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My84MjM4OTk5NCJ9",
  "signature": "WTKFVCkoQ9XA1fNTsQujulo0MGlMy1e-X4GxtS_89aJ9j-VgUVOmIXe2-k-MW4mNwg8eGSdfmwp8-bU2ZWX_OLnG5vgEpSnBrhxN5BuIeqaKYoRstUJGbOdCjA-Dhn9yw-fiTfxul8at8TDRfiyWt1uocoEC524Cbh2saFwTdhMlUx0nycdpi8IZMyR8Ard_VKkak_0XLJE59M47z3VglowaJKvisXADhXvMkWe-Tks5Bh5RnSrb0rD1TkpFGGNdx_CDWAAwfLYeDpJpXokRcp1aWwKDHA26RQvOp2uv9UGfGEJ80miWjL__luDz6C-QLHxH1RYdEEG2AUK9YsiQ",
  "payload": ""
}
2021-07-06 10:02:15,236:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/82389994 HTTP/1.1" 200 778
2021-07-06 10:02:15,238:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 06 Jul 2021 00:02:15 GMT
Content-Type: application/json
Content-Length: 778
Connection: keep-alive
Boulder-Requester: 15151354
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002gfp_NmiF1XvjMj_eKt6e2YtZ-XcBrG-wtruOMAaC7fA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "copybysophie.com.au"
  },
  "status": "valid",
  "expires": "2021-08-04T06:28:23Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/82389994/xmPSaw",
      "token": "vKm9c9z3q9LVfHg3uRyANKgZ_I6fzKq0OQBUJQwg2cg",
      "validationRecord": [
        {
          "url": "http://copybysophie.com.au/.well-known/acme-challenge/vKm9c9z3q9LVfHg3uRyANKgZ_I6fzKq0OQBUJQwg2cg",
          "hostname": "copybysophie.com.au",
          "port": "80",
          "addressesResolved": [
            "116.255.18.200"
          ],
          "addressUsed": "116.255.18.200"
        }
      ],
      "validated": "2021-07-05T06:28:22Z"
    }
  ]
}
2021-07-06 10:02:15,239:DEBUG:acme.client:Storing nonce: 0002gfp_NmiF1XvjMj_eKt6e2YtZ-XcBrG-wtruOMAaC7fA
2021-07-06 10:02:15,240:DEBUG:acme.client:JWS payload:
b''
2021-07-06 10:02:15,256:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82389995:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTE1MTM1NCIsICJub25jZSI6ICIwMDAyZ2ZwX05taUYxWHZqTWpfZUt0NmUyWXRaLVhjQnJHLXd0cnVPTUFhQmQSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My84MjM4OTk5NSJ9",
  "signature": "ZR7T8cKMD8PM_mVtZ9Q-nCQBEbAZvcZ8PfUDSbZc4XkYDx1Vaqbz6N5GIXdSjZP5f8qf0jgIxvg9yrGcPyGi7h-wv9nX08Cd6k3yvBuBuO9vk-t_LscDqZZ9nCFI7fTeQknJcCB-hVSsNR0ZjRXujQGF-kCPWEs0-RkP3LfAHTxXY2dnvMsSWO9BZe1Ak-Th2ebaFWgvABsHxaRg3XPxgB7TLm-91PrmK8eB6GHLiPLc2uDpAdOkBTsxd-Gx-iEFh5C_57JXLKKiM4hOOomO3yx-VDW_KcEIHZ0cNzR0W0vBLN1LiNG9Ov_ruPRSt7oQyGKFkwDECg7ywWOpykKA",
  "payload": ""
}
2021-07-06 10:02:15,446:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/82389995 HTTP/1.1" 200 1118
2021-07-06 10:02:15,448:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 06 Jul 2021 00:02:15 GMT
Content-Type: application/json
Content-Length: 1118
Connection: keep-alive
Boulder-Requester: 15151354
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001Hg5G_gMaSuvLWpihCG0-EjnYWnYyuFAm_MsjM5VH20U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.copybysophie.com"
  },
  "status": "valid",
  "expires": "2021-08-04T06:28:24Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/82389995/hikfHw",
      "token": "asl2hiXQsKiNmWCYTCz5SAIz7-4J9LR-h8jUFsYik-A",
      "validationRecord": [
        {
          "url": "http://www.copybysophie.com/.well-known/acme-challenge/asl2hiXQsKiNmWCYTCz5SAIz7-4J9LR-h8jUFsYik-A",
          "hostname": "www.copybysophie.com",
          "port": "80",
          "addressesResolved": [
            "184.168.131.241"
          ],
          "addressUsed": "184.168.131.241"
        },
        {
          "url": "https://www.copybysophie.com.au/.well-known/acme-challenge/asl2hiXQsKiNmWCYTCz5SAIz7-4J9LR-h8jUFsYik-A",
          "hostname": "www.copybysophie.com.au",
          "port": "443",
          "addressesResolved": [
            "116.255.18.200"
          ],
          "addressUsed": "116.255.18.200"
        }
      ],
      "validated": "2021-07-05T06:28:23Z"
    }
  ]
}
2021-07-06 10:02:15,449:DEBUG:acme.client:Storing nonce: 0001Hg5G_gMaSuvLWpihCG0-EjnYWnYyuFAm_MsjM5VH20U
2021-07-06 10:02:15,450:DEBUG:acme.client:JWS payload:
b''
2021-07-06 10:02:15,469:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82389996:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTE1MTM1NCIsICJub25jZSI6ICIwMDAxSGc1R19nTWFTdXZMV3BpaENHMC1Fam5ZV25ZeXVGQW1fTXNqTTVWSwVSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My84MjM4OTk5NiJ9",
  "signature": "jJn-eK_pLN8kAU7hi0UzYDLpXiDhOgpz7lSjZzgPt-NZuhCvnQbuVAkicmxuQJ6uaxDU_z4lp7G8Qfmpl6PLxGg4cZ5mV852UWik9fCmECycwwStG7QKDtIIvHXpPyDzytS_FOetTEp9_ilqjjTiW2yPIi_qY5Qr7gdMrnVMvkPUbkzaxsoh20VJ2NZHjGCXLKtEG0dUeFmwr37c2sCM444Wxp7SArYqiVJ1hK7fXur4jCFZbx3J0IrrwMDDPm9HemJ1qdot3Ngu5lgiDdqlrjRTNyJzrQqTf7DxBKg_6rlbpBSkGb_jVXPhBcVL5cQlfPhFDuxGXypJF5uA5wMA",
  "payload": ""
}
2021-07-06 10:02:15,660:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/82389996 HTTP/1.1" 200 790
2021-07-06 10:02:15,662:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 06 Jul 2021 00:02:15 GMT
Content-Type: application/json
Content-Length: 790
Connection: keep-alive
Boulder-Requester: 15151354
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002b_pBA0Lgx_dLytYwOPO8_HOoV2_8lWakRvu9nZwVj0E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.copybysophie.com.au"
  },
  "status": "valid",
  "expires": "2021-08-04T06:28:24Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/82389996/q3PKYw",
      "token": "ycsHD6jIgSIPlBqBNkdQLZ97Ui_s7oNVw1M4I-czjbQ",
      "validationRecord": [
        {
          "url": "http://www.copybysophie.com.au/.well-known/acme-challenge/ycsHD6jIgSIPlBqBNkdQLZ97Ui_s7oNVw1M4I-czjbQ",
          "hostname": "www.copybysophie.com.au",
          "port": "80",
          "addressesResolved": [
            "116.255.18.200"
          ],
          "addressUsed": "116.255.18.200"
        }
      ],
      "validated": "2021-07-05T06:28:23Z"
    }
  ]
}
2021-07-06 10:02:15,663:DEBUG:acme.client:Storing nonce: 0002b_pBA0Lgx_dLytYwOPO8_HOoV2_8lWakRvu9nZwVj0E
2021-07-06 10:02:15,665:DEBUG:acme.client:JWS payload:
b''
2021-07-06 10:02:15,686:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82918331:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTE1MTM1NCIsICJub25jZSI6ICIwMDAyYl9wQkEwTGd4X2RMeXRZd09QTzhfSE9vVjJfOGxXYWtSdnU5blp3VwRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My84MjkxODMzMSJ9",
  "signature": "5JQqq6fiGCAswzLwWB9YAg1peABjW_FsWW_Oauqjlkm5IfmbPXw0r3f-4H3d3I5F_WaKPpAHSya_BS-qhbc2fh1pfiah9zrhZ_qy2DZ4BpwLaiYNDnxs8dlN4AqYJHP2zgRyy2JsjZspGwsNBoSMWNwNmIpMpvAk9uZn5wNWNNCGltfzm3tt8OLRvfSYredq53PMgFtT8WV8x9MOGJmam8nO4o_AzXzUGuzMswjBy0zyS4Ty1-UsX-dvuOvqcMiPXraukMjKvbvwibMghQDGTgfWRhbVKWDn2Z11r3M9glrqY9mdRz9RDdAtcqtrfZ8Pwx7-eWxIkX1Vy3boyTbg",
  "payload": ""
}
2021-07-06 10:02:15,900:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/82918331 HTTP/1.1" 200 822
2021-07-06 10:02:15,902:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 06 Jul 2021 00:02:15 GMT
Content-Type: application/json
Content-Length: 822
Connection: keep-alive
Boulder-Requester: 15151354
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00023WwbO9yZ9MJ5eoHGc-1KvFMmPz758mK_pyL5Lsul3M4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "client.copybysophie.com.au"
  },
  "status": "pending",
  "expires": "2021-07-13T00:02:14Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/82918331/zJ9ngQ",
      "token": "ara9l_yvGl4ngMdVpRAhxFtIfHpelw1WKRxacDwCF34"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/82918331/c4FL5g",
      "token": "ara9l_yvGl4ngMdVpRAhxFtIfHpelw1WKRxacDwCF34"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/82918331/vQ1MPQ",
      "token": "ara9l_yvGl4ngMdVpRAhxFtIfHpelw1WKRxacDwCF34"
    }
  ]
}
2021-07-06 10:02:15,903:DEBUG:acme.client:Storing nonce: 00023WwbO9yZ9MJ5eoHGc-1KvFMmPz758mK_pyL5Lsul3M4
2021-07-06 10:02:15,906:INFO:certbot.auth_handler:Performing the following challenges:
2021-07-06 10:02:15,907:INFO:certbot.auth_handler:http-01 challenge for client.copybysophie.com.au
2021-07-06 10:02:15,951:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: copybysophie.com.au in: /etc/apache2/sites-enabled/copybysophie.com.au-le-ssl.conf
2021-07-06 10:02:15,951:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: copybysophie.com.au in: /etc/apache2/sites-enabled/copybysophie.com.au-le-ssl.conf
2021-07-06 10:02:15,952:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: copybysophie.com.au in: /etc/apache2/sites-enabled/copybysophie.com.au.conf
2021-07-06 10:02:15,954:DEBUG:certbot_apache.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

2021-07-06 10:02:15,955:DEBUG:certbot_apache.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>

2021-07-06 10:02:16,060:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/copybysophie.com.au.conf
2021-07-06 10:02:16,061:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/copybysophie.com.au-le-ssl.conf
2021-07-06 10:02:19,487:INFO:certbot.auth_handler:Waiting for verification...
2021-07-06 10:02:19,491:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
2021-07-06 10:02:19,513:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/82918331/zJ9ngQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTE1MTM1NCIsICJub25jZSI6ICIwMDAyM1d3Yk85eVo5TUo1ZW9IR2MtMUt2Rk1tUHo3NThtS19weUw1THN1bNNCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My84MjkxODMzMS96SjluZ1EifQ",
  "signature": "kQvXtQ6OzTH1pftsAlXsUcl-kc1NZ5ARfCdHfrUDaGTWxYaRuoeFVnjI7acl4JyKtECPDBd8IpHRII5uF4h4yR5O2M2oL87PApGkbTuKSq93l2LzIGDd-lUhmx0CU1VnDmSwviSllKKO2APxPOwJrhp0LRXKjo3jE0VedjpP7mSlTi9fMLkYS8mg--y4PCG0JA47qoYLmcs_JYtE-HaIRhv0_8l4wEq3XY61gbbWqpmdyWkDRDzy3lhGiYwouT3mLi5xvgGe012d1besqT74P5oG2xgBHlhikvxZN8b70KXuURoFYIxMPFTvDhrULzKJHbXdqeU2zNZnezON4zrw",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
2021-07-06 10:02:19,709:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/82918331/zJ9ngQ HTTP/1.1" 200 191
2021-07-06 10:02:19,711:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 06 Jul 2021 00:02:19 GMT
Content-Type: application/json
Content-Length: 191
Connection: keep-alive
Boulder-Requester: 15151354
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82918331>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/82918331/zJ9ngQ
Replay-Nonce: 0002KzlkYWLwqzoLjE9X2HHBzvYWUy8k-iA8hCdi_-_sTmc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/82918331/zJ9ngQ",
  "token": "ara9l_yvGl4ngMdVpRAhxFtIfHpelw1WKRxacDwCF34"
}
2021-07-06 10:02:19,712:DEBUG:acme.client:Storing nonce: 0002KzlkYWLwqzoLjE9X2HHBzvYWUy8k-iA8hCdi_-_sTmc
2021-07-06 10:02:22,716:DEBUG:acme.client:JWS payload:
b''
2021-07-06 10:02:22,725:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/82918331:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTE1MTM1NCIsICJub25jZSI6ICIwMDAyS3psa1lXTHdxem9MakU5WDJISEJ6dllXVXk4ay1pQThoQ2RpXy1fctYyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My84MjkxODMzMSJ9",
  "signature": "xkBuu9aBMVhvpYlxztaD1echsbt2iE4dR-hc0pvvn02Y_PQUtHtG0z4gxO64rtSOsldMEY3bRBcIvuTfYOl8XWfOGQfb92gnrcrcshq7Gy5SYKO7l26CGYFTOnpdEOgWP144q0azbNzDTwgHDYTpf6G4Do8TgbqIUIzqI7SBYrmKYL91VMHTMJwuq8U3IaQAqMpGhJZ6wgMqF1ZwRg_aID0Irdz86fqSaSoobOCFfke5RpGxCd4vhGQWeC5anwXGpMUp5wucjixm7JCeLu_vP-KD9zRRPO84fjmfznNs62-BIWf1GG8fA0qiGj8xAOkzMz1taky8wsJRSowNax3Q",
  "payload": ""
}
2021-07-06 10:02:22,918:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/82918331 HTTP/1.1" 200 1327
2021-07-06 10:02:22,919:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 06 Jul 2021 00:02:22 GMT
Content-Type: application/json
Content-Length: 1327
Connection: keep-alive
Boulder-Requester: 15151354
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00029eU5rAjkx7CgycsnS9kvuuzwbRWFfJHLLZAb5ax3e-Q
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "client.copybysophie.com.au"
  },
  "status": "invalid",
  "expires": "2021-07-13T00:02:14Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://client.copybysophie.com.au/.well-known/acme-challenge/ara9l_yvGl4ngMdVpRAhxFtIfHpelw1WKRxacDwCF34 [45.55.109.231]: \"\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\"en\\\"\u003e\\n\u003chead\u003e\\n\u003cmeta charset=\\\"utf-8\\\"\u003e\\n\u003ctitle\u003eError\u003c/title\u003e\\n\u003c/head\u003e\\n\u003cbody\u003e\\n\u003cpre\u003eInternal Server Error\u003c/p\"",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/82918331/zJ9ngQ",
      "token": "ara9l_yvGl4ngMdVpRAhxFtIfHpelw1WKRxacDwCF34",
      "validationRecord": [
        {
          "url": "http://client.copybysophie.com.au/.well-known/acme-challenge/ara9l_yvGl4ngMdVpRAhxFtIfHpelw1WKRxacDwCF34",
          "hostname": "client.copybysophie.com.au",
          "port": "80",
          "addressesResolved": [
            "45.55.109.231"
          ],
          "addressUsed": "45.55.109.231"
        }
      ],
      "validated": "2021-07-06T00:02:19Z"
    }
  ]
}
2021-07-06 10:02:22,919:DEBUG:acme.client:Storing nonce: 00029eU5rAjkx7CgycsnS9kvuuzwbRWFfJHLLZAb5ax3e-Q
2021-07-06 10:02:22,921:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: client.copybysophie.com.au
Type:   unauthorized
Detail: Invalid response from http://client.copybysophie.com.au/.well-known/acme-challenge/ara9l_yvGl4ngMdVpRAhxFtIfHpelw1WKRxacDwCF34 [45.55.109.231]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta chars=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Internal Server Error</p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2021-07-06 10:02:22,923:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. client.copybysophie.com.au (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response fm http://client.copybysophie.com.au/.well-known/acme-challenge/ara9l_yvGl4ngMdVpRAhxFtIfHpelw1WKRxacDwCF34 [45.55.109.231]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Error<itle>\n</head>\n<body>\n<pre>Internal Server Error</p"

2021-07-06 10:02:22,923:DEBUG:certbot.error_handler:Calling registered functions
2021-07-06 10:02:22,923:INFO:certbot.auth_handler:Cleaning up challenges
2021-07-06 10:02:23,447:WARNING:certbot.renewal:Attempting to renew cert (copybysophie.com.au) from /etc/letsencrypt/renewal/copybysophie.com.au.conf produced an unexpected error: Failed authorization procedur client.copybysophie.com.au (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://client.copybysophie.com.au/.well-known/acme-challengera9l_yvGl4ngMdVpRAhxFtIfHpelw1WKRxacDwCF34 [45.55.109.231]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Internal Server Error</p". Skippi.
2021-07-06 10:02:23,452:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 465, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 323, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. client.copybysophie.com.au (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response fm http://client.copybysophie.com.au/.well-known/acme-challenge/ara9l_yvGl4ngMdVpRAhxFtIfHpelw1WKRxacDwCF34 [45.55.109.231]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Error<itle>\n</head>\n<body>\n<pre>Internal Server Error</p"

2021-07-06 10:02:23,452:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2021-07-06 10:02:23,453:ERROR:certbot.renewal:  /etc/letsencrypt/live/copybysophie.com.au/fullchain.pem (failure)
2021-07-06 10:02:23,453:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 490, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

ive noticed the file mentions i have a nginx as a server, this is incorrect i have Apache installed..

client.copybysophie.com.au is a CNAME (DNS redirection/alias) to ssl.dubsado.com - you cannot get a cert using http validation (and you don't need one). The server ssl.dubsado.com needs to have its own certificate for client.copybysophie.com.au (which it could get using http validation) because it is the server for that subdomain (because of your CNAME pointing to it).

You need to speak to Dubsado.

There are four different names (with three different IPs) shown in the --dry-run logs:

client.copybysophie.com.au = 45.55.109.231   (ssl.dubsado.com)
       copybysophie.com.au = 116.255.18.200
   www.copybysophie.com.au = 116.255.18.200
   www.copybysophie.com    = 184.168.131.241

What is the external IP of the system you are running this on?

116.255.18.200 is the .com.au address. (Apache WebServer)

the 184.* address i have setup a domain redirection to the .com.au address with my DNS provider.

Client is the CNAME pointing to ssl.dubsado.com which is 45.55.109.231.

just updated my post, its 116.255 is my apache webserver

Then you won't be able to obtain/renew/use certs with names that resolve to any other IP (when using HTTP authentication).

ok thanks. Last question, do i still need to register an SSL certificate if the CNAME is pointing to a different host but using my domain?

If the system at the IP of the name needs to use a cert, it will need to get one.
And it can get one for any and all names that point to that IP.
[So, the system at IP 45.55.109.231 can get, and use, a cert for client.copybysophie.com.au]

thank you, i've reverted my SSL setup without using the client CNAME on my webserver and leaving it with Dubsado

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.