Still not renewing


#1

Please fill out the fields below so we can help you better.

My domain is:
www.shining.lighting

I ran this command:
sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/shining.lighting.conf

Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for shining.lighting
Encountered vhost ambiguity but unable to ask for user guidance in non-interactive mode. Currently Certbot needs each vhost to be in its own conf file, and may need vhosts to be explicitly labelled with ServerName or ServerAlias directories.
Falling back to default vhost *:443…
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/shining.lighting.conf produced an unexpected error: Failed authorization procedure. shining.lighting (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for shining.lighting. Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/shining.lighting/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: shining.lighting
    Type: connection
    Detail: DNS problem: SERVFAIL looking up CAA for shining.lighting

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My operating system is (include version):
raspberry pi debian jessie

My web server is (include version):
apache 2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


#2

A key part here is;

Can you split the configurations such that each vhost is in it’s own conf file ?


#3

Another key part:

You don’t need to have a CAA record but you do need to have a DNS server that returns the correct response when the record doesn’t exist. Contact your DNS provider to see if they can fix this problem, or switch your DNS to another provider.


#4

Sadly I have no idea how to do this… could you offer any advice?


#5

In your current config you presumably have virtualhosts in the main cinfog file. Each of which will look like

<VirtualHost \*:80>   
  ServerName vh1.example.com
  DocumentRoot /var/www/vhosts/vh1
  ...
</VirtualHost>

for each of those, create a file (containing the code between the “VirtualHost” statements, and including the “VirtualHost” statement in /etc/httpd/sites-available/

for each one of these, enable it using the “a2ensite” command


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.