Web server: nginx/1.14.2
OS: Ubuntu 18.04.2 LTS x86_64
Machine type: VPS relying on LXC
I can login to a root shell on my machine: Yes
Control panel: No
My client is: certbot 0.31.0
I ran this command: /usr/bin/certbot renew --post-hook "nginx -s reload" --test-cert --break-my-certs
It produced this output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/kiyo.ooo.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer nginx
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for kiyo.ooo
dns-01 challenge for kiyo.ooo
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (kiyo.ooo) from /etc/letsencrypt/renewal/kiyo.ooo.conf produced an unexpected error: Failed authorization procedure. kiyo.ooo (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "wy5t6N3WCmTO0w16hqJZKlp6B6x1qumzAJzpiriDlNY" (and 1 more) found at _acme-challenge.kiyo.ooo. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/kiyo.ooo/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: nginx -s reload
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: kiyo.ooo
Type: unauthorized
Detail: Incorrect TXT record
"wy5t6N3WCmTO0w16hqJZKlp6B6x1qumzAJzpiriDlNY" (and 1 more) found at
_acme-challenge.kiyo.ooo
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I checked the logs with verbose enabled, and there is no auth issue with Cloudflare, Certbot can perfectly change my DNS records.
I ran this command with the staging server for a wildcard certificate, because the renewal of my working certificate is unfortunately rate-limited.
What could i do?
Thanks.
There are lots of reasons that it could be important to increase this delay, but the TTL isn't a reliable indicator here, because unlike most clients, Let's Encrypt always directly checks the authoritative nameserver. If you have a TTL of 86400 seconds, it doesn't take 86400 seconds until the authoritative nameserver starts to serve the new records; in fact, the amount of time it takes should be independent of the TTL.
The delay before DNS zone changes are served from an authoritative server depends on the DNS provider's infrastructure, and can vary widely, but TTL isn't a good clue to the size of this delay, and it's not directly connected to "propagation delay" as that concept is used in most parts of the DNS world (which does relate to TTL and cached copies of old DNS records).
Maybe Cloudflare was just running a little slowly?
I'd suggest trying again one or two times.
If it still doesn't work, try adding "--dns-cloudflare-propagation-seconds 15".
For what it's worth, you can use --dry-run instead of those two options. It will also issue a certificate with the staging environment, but Certbot will just discard it without permanently modifying /etc/letsencrypt/live/.
Edit: FYI, I just successfully issued a few certificates using a 5 second delay and the staging environment.
Thanks for your answers. Howewer, it still doesn’t work, even with --dns-cloudflare-propagation-seconds 30.
I now have more details. The detailed issue is:
Attempting to renew cert (kiyo.ooo) from /etc/letsencrypt/renewal/kiyo.ooo.conf produced an unexpected error: Failed authorization procedure. kiyo.ooo (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "NIzc9k9CXJjxkzsOx9LkGTe2mOKwQelxJ-gap-_3xqQ" (and 1 more) found at _acme-challenge.kiyo.ooo, kiyo.ooo (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "NIzc9k9CXJjxkzsOx9LkGTe2mOKwQelxJ-gap-_3xqQ" (and 1 more) found at _acme-challenge.kiyo.ooo. Skipping.
When I try with --dry-run, I don’t have any errors, everything works perfectly, which is weird?
Also, sometimes Certbot simply doesn’t works before another weird error:
Writing new private key to /etc/letsencrypt/archive/kiyo.ooo/privkey3.pem.
Attempting to renew cert (kiyo.ooo) from /etc/letsencrypt/renewal/kiyo.ooo.conf produced an unexpected error: [Errno 2] No such file or directory: '/etc/letsencrypt/archive/kiyo.ooo/privkey2.pem'. Skipping.
Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 317, in renew_cert
lineage.save_successor(prior_version, new_cert, new_key.pem, new_chain, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 1108, in save_successor
old_mode = stat.S_IMODE(os.stat(old_privkey).st_mode) & \
FileNotFoundError: [Errno 2] No such file or directory: '/etc/letsencrypt/archive/kiyo.ooo/privkey2.pem'