Unable to renew certificates - Certbot says A/AAAA records are missing, even though they are not

My domain is:
diarainfra.com
veebikoolitused.tartufarmer.ee
intranet.kyyrix.ee
pma2.diarainfra.com

I ran this command:
certbot renew --nginx --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/diarainfra.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for diarainfra.com
Waiting for verification…
Challenge failed for domain diarainfra.com
http-01 challenge for diarainfra.com
Cleaning up challenges
Attempting to renew cert (diarainfra.com) from /etc/letsencrypt/renewal/diarainfra.com.conf produced an unexpected error: Some challenges have failed… Skipping.


Processing /etc/letsencrypt/renewal/intranet.kyyrix.ee.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for intranet.kyyrix.ee
Waiting for verification…
Challenge failed for domain intranet.kyyrix.ee
http-01 challenge for intranet.kyyrix.ee
Cleaning up challenges
Attempting to renew cert (intranet.kyyrix.ee) from /etc/letsencrypt/renewal/intranet.kyyrix.ee.conf produced an unexpected error: Some challenges have failed… Skipping.


Processing /etc/letsencrypt/renewal/pma2.diarainfra.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for pma2.diarainfra.com
Waiting for verification…
Challenge failed for domain pma2.diarainfra.com
http-01 challenge for pma2.diarainfra.com
Cleaning up challenges
Attempting to renew cert (pma2.diarainfra.com) from /etc/letsencrypt/renewal/pma2.diarainfra.com.conf produced an unexpected error: Some challenges have failed… Skipping.


Processing /etc/letsencrypt/renewal/veebikoolitused.tartufarmer.ee.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for veebikoolitused.tartufarmer.ee
Waiting for verification…
Challenge failed for domain veebikoolitused.tartufarmer.ee
http-01 challenge for veebikoolitused.tartufarmer.ee
Cleaning up challenges
Attempting to renew cert (veebikoolitused.tartufarmer.ee) from /etc/letsencrypt/renewal/veebikoolitused.tartufarmer.ee.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/diarainfra.com/fullchain.pem (failure)
/etc/letsencrypt/live/intranet.kyyrix.ee/fullchain.pem (failure)
/etc/letsencrypt/live/pma2.diarainfra.com/fullchain.pem (failure)
/etc/letsencrypt/live/veebikoolitused.tartufarmer.ee/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/diarainfra.com/fullchain.pem (failure)
/etc/letsencrypt/live/intranet.kyyrix.ee/fullchain.pem (failure)
/etc/letsencrypt/live/pma2.diarainfra.com/fullchain.pem (failure)
/etc/letsencrypt/live/veebikoolitused.tartufarmer.ee/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


4 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
nginx version: nginx/1.19.0

The operating system my web server runs on is (include version):
Ubuntu 20.04 LTS

My hosting provider, if applicable, is:
Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.40.0

1 Like

Hi @henno

if you use the --nginx authenticator

but if Letsencrypt checks https

your port 80 vHost configuration is buggy, so Certbot doesn’t understand that.

Or you have additional definitions so the code Certbot adds isn’t executed, instead there is a redirect http -> https with the wrong result.

  • Switch to webroot and use your https webroot (or)
  • fix your port 80 vHost configuration
2 Likes

How to tell certbot to use webroot instead of nginx when it automatically renews certificates?

certbot certonly --webroot -w /usr/share/nginx/html --dry-run

  • Be sure to change /usr/share/nginx/html to the path of your own web root if different
  • Using certonly --webroot will acquire, but not install, the certificate

If successful, I believe your configuration should be updated to reflect the changes.

Just a note: your certbot is really outdated (0.40.0)

1 Like