The last attempt to renew the Let’s Encrypt certificates at the beginning of the month failed and I can't figure out why or fix the problem.
I read a lot in the forum, but I didn't find anything similar to my case.
Please, help me!
My domains (where Let’s Encrypt after try to renew doesn't work after several years of trouble-free operation) are:
club.galanto.com, bb.galanto.com, online.galanto.com, photo.galanto.com
(On the same machine there are some sites working: galanto.com, bitak.galanto.com. mn.galanto.com, us.galanto.com but probably because they haven't had time to renew their certificates yet)
My web server is (include version):
Apache version 2.4.52
The operating system my web server runs on is (include version):
Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-92-generic x86_64)
My hosting provider, if applicable, is:
self-hosted
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Webmin version 2.111
Virtualmin version 7.10.0
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0
I use AdGuard Home DNS on QNAP NAS in my home network, but I think it is not reason – when I change to Google DNS there is no difference.
I can write in DNS-zone of my domains and I use DNS-based validation.
The error message from Virtualmin is:
Renewal failed due to
Web-based validation failed :
’Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for bb.galanto.com and www.bb.galanto.com
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.bb.galanto.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for www.bb.galanto.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.bb.galanto.com - check that a DNS record exists for this domain
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ’
DNS-based validation failed :
’Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for bb.galanto.com and www.bb.galanto.com
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: www.bb.galanto.com
Type: unauthorized
Detail: Incorrect TXT record "M9Q872T0_b3mc0tXIVHx-iCGu-C0xBC4e14YT7ANYyk" found at _acme-challenge.www.bb.galanto.com
Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.’
Command
sudo certbot -v
return result:
‘Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.’
I remain available to provide any other information needed.
Besides adding the www subdomain in CNAME-Records, I also had to add text entries for each subdomain individually in