The renew the Let’s Encrypt certificates failed

The last attempt to renew the Let’s Encrypt certificates at the beginning of the month failed and I can't figure out why or fix the problem.

I read a lot in the forum, but I didn't find anything similar to my case.

Please, help me!

My domains (where Let’s Encrypt after try to renew doesn't work after several years of trouble-free operation) are:

club.galanto.com, bb.galanto.com, online.galanto.com, photo.galanto.com

(On the same machine there are some sites working: galanto.com, bitak.galanto.com. mn.galanto.com, us.galanto.com but probably because they haven't had time to renew their certificates yet)

My web server is (include version):

Apache version 2.4.52

The operating system my web server runs on is (include version):

Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-92-generic x86_64)

My hosting provider, if applicable, is:

self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Webmin version 2.111

Virtualmin version 7.10.0

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.21.0

I use AdGuard Home DNS on QNAP NAS in my home network, but I think it is not reason – when I change to Google DNS there is no difference.

I can write in DNS-zone of my domains and I use DNS-based validation.

The error message from Virtualmin is:

Renewal failed due to

Web-based validation failed :

’Saving debug log to /var/log/letsencrypt/letsencrypt.log

Renewing an existing certificate for bb.galanto.com and www.bb.galanto.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: www.bb.galanto.com

Type: dns

Detail: DNS problem: NXDOMAIN looking up A for www.bb.galanto.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.bb.galanto.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ’

DNS-based validation failed :

’Saving debug log to /var/log/letsencrypt/letsencrypt.log

Renewing an existing certificate for bb.galanto.com and www.bb.galanto.com

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:

Domain: www.bb.galanto.com

Type: unauthorized

Detail: Incorrect TXT record "M9Q872T0_b3mc0tXIVHx-iCGu-C0xBC4e14YT7ANYyk" found at _acme-challenge.www.bb.galanto.com

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.’

Command

sudo certbot -v

return result:

‘Saving debug log to /var/log/letsencrypt/letsencrypt.log

Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.’

I remain available to provide any other information needed.

Welcome @lz3ai

Looks like you have a couple different problems. I'll start with this one.

The webroot method uses your active web server. The error is that you do not have any A and/or AAAA record(s) in your DNS. Let's Encrypt (or anyone) needs those records for the IP address for that domain name.

I see an A record for bb.galanto.com but not www.bb.galanto.com

4 Likes

There's actually no such record, but I don't think that's the reason. Until now, it has been renewed for several years without this record. In addition, there are some peculiarities in my DNS-zone:

  1. A-record exists only for galanto.com, all subdomains are recorded as CNAME-records.

  2. Currently on the same machine there are working HTTPS domains configured in the same way. Unfortunately, I guess they are only working because they haven't reached the renewal deadline. Once they start updating they will stop working with HTTPS. Working well domains are galanto.com, bitak.galanto.com. mn.galanto.com, us.galanto.com

  3. I added a CNAME record for www.bb.galanto.com, but again I was unable to update its certificate.

  4. Before the last renewal of the certificates, this configuration of the domains was working successfully and renewing successfully for several years.

Any other guesses?

I apologize, specifically https://bb.galanto.com/ is already working and has renewed. He probably needed some time. I will now reconfigure the others and report the result.

2 Likes

The problem is solved. I hope it doesn't show up in the next certificate renewal :wink: Besides adding the www subdomain in CNAME-Records, I also had to add text entries for each subdomain individually in
TXT-Records like _acme-challenge.www.XXX (were XXX is club, photo, bb e.t.c) with the same value as the main domain galanto.com.

However, I still wonder how it worked for years with the previous configuration and now suddenly had to add separate entries for each subdomain.

Thanks [MikeMcQ] for the quick response and help!

2 Likes

Great. You should check the Certbot managed certs with

sudo certbot certificates

You might have two certs related to your bb.galanto.com. I say this because you recently got a cert with just that name in it. The cert after that, and your earlier certs, had both your base name and its www subdomain.

If certbot certificates shows a cert with just bb.galanto.com you could (should) delete it. Just make sure you don't use it anywhere else though. Your Apache HTTPS is using the cert with both names but I don't know if you might use certs somewhere else.

Deleting is done with

sudo certbot delete --cert-name (NAME)

NAME is from certbot certificates list

Just ask if you have questions about any of this

3 Likes

Hi Mike,
Thanks again for help.
I felt that I was doing something stupid right away when I saw a certificate named bb.galanto.com-0001 and even then I deleted it. This happened when I was experimenting and didn't know what exactly to do yet. Now with the command sudo certbot certificates I don't see the second certificate for bb.galanto.com. Everything should be fine now.
Thank you very much!

2 Likes