Hi, folks. I have a webmail service (made with iRedMail) and I'm trying to renew my certificates and this is the reponse I've been getting:
If you try the URL https://mail.olimppi.us, you'll see that the certificate has already expired.
My DNS is in CloudFlare:
If you try to check the DNS, they are working and propagating well: mail.olimppi.us | mta-sts.olimppi.us
I have mta-sts and mail (A records) set for olimppi.us. In reality the hostname (and domain) I'm using for the mail service is 'mail.olimppi.us'. And I'm trying to renew them with no success.
This is what I have in Nginx:
server {
#listen 80 default_server;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
#server_name _;
server_name mail.olimppi.us;
root /var/www/html;
index index.php index.html;
include /etc/nginx/templates/misc.tmpl;
include /etc/nginx/templates/ssl.tmpl;
include /etc/nginx/templates/iredadmin.tmpl;
include /etc/nginx/templates/roundcube.tmpl;
include /etc/nginx/templates/sogo.tmpl;
include /etc/nginx/templates/netdata.tmpl;
include /etc/nginx/templates/php-catchall.tmpl;
include /etc/nginx/templates/stub_status.tmpl;
#ssl_certificate /etc/letsencrypt/live/mail.olimppi.us/fullchain.pem; # managed by Certbot
#ssl_certificate_key /etc/letsencrypt/live/mail.olimppi.us/privkey.pem; # managed by Certbot
}
server {
#listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mta-sts.olimppi.us;
root /var/www/mta-sts.olimppi.us;
# TLS session cache (type:name:size)
ssl_session_cache shared:mta-sts.olimppi.us:10m;
ssl_certificate /etc/letsencrypt/live/mta-sts.olimppi.us/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mta-sts.olimppi.us/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location ^~ /.well-known/mta-sts.txt {
try_files $uri @mta-sts;
}
}
My mta-sts.txt is in /home/ubuntu/mta-sts.olimppi.us/.well-known/ (but also created symbolic link to /var/www/mta-sts.olimppi.us/ and I set the due permissions according to https://admin42day.com/server/ServerRedMailSwitch/) and its content is:
version: STSv1
mode: enforce *
mx: mail.olimppi.us
max_age: 604800
And the content of the TXT record (named _mta-sts) was 'v=STSv1; id=20220806213642Z'. And I solved to change it to 'v=STSv1; id=20230806213642Z' in order to see how it goes, but with no success.
That being said, I can't renew either 'mta-sts' or 'mail' A records for olimppi.us.
What is happening? What am I doing wrong?
My domain is: mail.olimppi.us
I ran this command: sudo certbot renew --cert-name mail.olimppi.us --dry-run
It produced this output: Attempting to renew cert (mail.olimppi.us) from /etc/letsencrypt/renewal/mail.olimppi.us.conf produced an unexpected error: Some challenges have failed.. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/mail.olimppi.us/fullchain.pem (failure)
My web server is (include version): nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 20.04 LTS
My hosting provider, if applicable, is: Oracle Cloud Infrastructure
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 0.40.0