LetsEncrypt Issue

This is error:

2021/02/08 18:34:49 [INFO] [mail.aysegulkose.com] acme: Obtaining SAN certificate
2021/02/08 18:34:49 [INFO] [mail.aysegulkose.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10705361921
2021/02/08 18:34:49 [INFO] [mail.aysegulkose.com] acme: Could not find solver for: tls-alpn-01
2021/02/08 18:34:49 [INFO] [mail.aysegulkose.com] acme: use http-01 solver
2021/02/08 18:34:49 [INFO] [mail.aysegulkose.com] acme: Trying to solve HTTP-01
2021/02/08 18:35:42 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10705361921
2021/02/08 18:35:43 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10705361921
2021/02/08 18:35:43 Could not obtain certificates:
error: one or more domains had a problem:
[mail.aysegulkose.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: SERVFAIL looking up A for mail.aysegulkose.com - the domain's nameservers may be malfunctioning, url:
Certificate generation failed.

But no error on debug:
 
I guess we got the exact same problem but isn't server issue, so there's an issue with Let's Encrypt services. Just have a look at this and you'll see what's happening.

Screen Shot 2021-02-09 at 8.38.04 PM.png
 
I'm experiencong a problem issuing LE certificate:

==========
2021/02/19 19:08:24 [INFO] [test2.akademiapomyslow.pl, www.test2.akademiapomyslow.pl] acme: Obtaining SAN certificate
2021/02/19 19:08:25 [INFO] [test2.akademiapomyslow.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10433354008
2021/02/19 19:08:25 [INFO] [www.test2.akademiapomyslow.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10999286721
2021/02/19 19:08:25 [INFO] [www.test2.akademiapomyslow.pl] acme: authorization already valid; skipping challenge
2021/02/19 19:08:25 [INFO] [test2.akademiapomyslow.pl] acme: Could not find solver for: tls-alpn-01
2021/02/19 19:08:25 [INFO] [test2.akademiapomyslow.pl] acme: use http-01 solver
2021/02/19 19:08:25 [INFO] [test2.akademiapomyslow.pl] acme: Trying to solve HTTP-01
2021/02/19 19:08:26 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10433354008
2021/02/19 19:08:26 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10999286721
2021/02/19 19:08:26 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10999286721
2021/02/19 19:08:26 Could not obtain certificates:
error: one or more domains had a problem:
[test2.akademiapomyslow.pl] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for test2.akademiapomyslow.pl - the domain's nameservers may be malfunctioning, url:
Certificate generation failed.
==================

is it on LE or DNS server side?
 
DNS problem: SERVFAIL looking up A for test2.akademiapomyslow.pl - the domain's nameservers may be malfunctioning
It in the error..

Maybe the domain is not fully propagated?

What does intodns.com show you?
 
I don't see an error on

whereas for https://intodns.com/akademiapomyslow.pl


DNS servers respondedERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
108.162.193.160 108.162.192.238



Missing nameservers reported by your nameserversERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are:
vita.ns.cloudflare.com
drew.ns.cloudflare.com

This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example).
 
Hi all,

I experience quite some problems with Let's Encrypt as well. Since a week or so both my 2 servers report problems the wildcard certificates cannot be renewed. I checked all domains on intodns.com and ipv6-test.com. If there were any, I fixed the problems. However, LE still refuses to renew the certificates.
Some logs:
Found wildcard domain name and http challenge type, switching to dns-01 validation.
2021/02/28 01:02:11 [INFO] [*.somedomain.com, somedomain.com] acme: Obtaining SAN certificate
2021/02/28 01:02:12 [INFO] [*.somedomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11195633723
2021/02/28 01:02:12 [INFO] [somedomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11195633725
2021/02/28 01:02:12 [INFO] [*.somedomain.com] acme: use dns-01 solver
2021/02/28 01:02:12 [INFO] [somedomain.com] acme: Could not find solver for: tls-alpn-01
2021/02/28 01:02:12 [INFO] [somedomain.com] acme: Could not find solver for: http-01
2021/02/28 01:02:12 [INFO] [somedomain.com] acme: use dns-01 solver
2021/02/28 01:02:12 [INFO] [*.somedomain.com] acme: Preparing to solve DNS-01
2021/02/28 01:02:15 [INFO] [*.somedomain.com] acme: Trying to solve DNS-01
2021/02/28 01:02:15 [INFO] [*.somedomain.com] acme: Checking DNS record propagation using [[2001:4860:4860::8888]:53]
2021/02/28 01:02:20 [INFO] Wait for propagation [timeout: 5m0s, interval: 5s]
2021/02/28 01:02:20 [INFO] [*.somedomain.com] acme: Waiting for DNS record propagation.
... this repeats about 60 times during 5 minutes
2021/02/28 01:07:17 [INFO] [*.somedomain.com] acme: Waiting for DNS record propagation.
2021/02/28 01:07:22 [INFO] [*.somedomain.com] acme: Cleaning DNS-01 challenge
2021/02/28 01:07:24 [INFO] [somedomain.com] acme: Preparing to solve DNS-01
2021/02/28 01:07:27 [INFO] [somedomain.com] acme: Trying to solve DNS-01
2021/02/28 01:07:27 [INFO] [somedomain.com] acme: Checking DNS record propagation using [[2001:4860:4860::8888]:53]
2021/02/28 01:07:32 [INFO] Wait for propagation [timeout: 5m0s, interval: 5s]
2021/02/28 01:07:32 [INFO] [somedomain.com] acme: Waiting for DNS record propagation.
... this also repeats about 60 times during 5 minutes
2021/02/28 01:12:32 [INFO] [somedomain.com] acme: Waiting for DNS record propagation.
2021/02/28 01:12:37 [INFO] [somedomain.com] acme: Cleaning DNS-01 challenge
2021/02/28 01:12:41 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11195633723 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "0003cfNy0jw2JbVgaA575mQQC-u1ooj2eM-bFfSltdAU51w", url:
2021/02/28 01:12:41 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11195633723
2021/02/28 01:12:42 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11195633725
2021/02/28 01:12:42 Could not obtain certificates:
error: one or more domains had a problem:
[*.somedomain.com] time limit exceeded: last error: read udp [2a01:7c8:d003:2a::44]:45781->[2a01:7c8:d003:2a::44]:53: read: connection refused
[somedomain.com] time limit exceeded: last error: read udp [2a01:7c8:d003:2a::44]:54796->[2a01:7c8:d003:2a::44]:53: read: connection refused
Certificate generation failed.
At first I thought it had to do with IPv6 and/or the firewall. So I turned off the firewall (CSF) en removed all IPv6 adresses in the DNS, but this didn't solve anything.
After that I disabled IPv6 in directadmin.conf and restarted DirectAdmin. Again, with the same result. And very strange, the first time I tried to renew (or create) a LE certificate the logs showed the IPv4 address, but the second time IPv6 showed up again!
Renewal or creation of a new certificate without wildcard seems to work normally...

I'm running CentOS 7 on one server and Cloudlinux 7 on the other and everything is configured/installed using CustomBuild. Ofcourse the systems are up-to-date.

Does anyone have a clue?

Regards,
Danny
 
Here as well. :mad:
Current version
#VERSION=2.0.12

I believe this error was thrown with the version before VERSION=2.0.12

Error during automated certificate renewal for ****.nl​

2021-03-01 04:22

Found wildcard domain name and http challenge type, switching to dns-01 validation.​

CAA record prevents issuing the certificate: SERVFAIL

After that I noticed an update of letsencrypt to VERSION=2.0.12
So I tried a manual renewal of the cert through the web gui.

Error with LetsEncrypt request​

2021-03-01 14:04

Found wildcard domain name and http challenge type, switching to dns-01 validation.
CAA record prevents issuing the certificate: SERVFAIL


Never had the CAA record issue before all though I read about it here in the forums.
Will do a search here on the forums to see if the CAA record issue is solved and is a solution for me.

Edit: Perhaps it's relevant to mention that this domain was recently moved from one user to an other user using old user backup and restoring in the other user account.
 
Last edited:
Here as well. :mad:
Current version
#VERSION=2.0.12

I believe this error was thrown with the version before VERSION=2.0.12
The updates on my servers were a little out of date due to circumstances, I was running version 2.0.10 a little longer when the problem started. But updating to 2.0.12 didn't solve the problem. I have my doubts if this is related to DirectAdmin (or better: the Let's Encrypt script) or Let's Encrypt. Because only few reports about this problem van be found on Google, I'm inclined to think that the problem is with DirectAdmin/the script.

Offtopic: another strange thing with CB is the logs cannot be opened anymore on 1 of my servers:
Error. File /usr/local/directadmin/plugins/custombuild/logs/1614462061.145436.log does not exist.

Regards,
Danny
 
Been testing like a madman and got some progress.
Downgraded letsencrypt step by step and went three versions back but error still exists.
Tried to add CAA records, but there was no option in the dns add record. Added dns_caa=1 to directadmin.conf and added mydomain.nl. CAA 0 issue "letsencrypt.org", but error still exists.

Removed pointers (not an alias) of the troublesome domain and my wildcard cert was issued without a problem.
Added the domain pointers again and the error pops up again.
Seems 1 of the pointers did not had the correct nameservers set. So will try tomorrow again to give dns propagation some time to catch up.
 
Earlier I experienced the CAA records problem too. Most times it appeared to be the NS servers which could be slightly different configured compared with the ones registered with the domain (SIDN). ie: ns1.domain.nl instead of ns01.domain.nl, while both ns1 and ns01 do exist and everything works just fine. But eventually the messages disappeared after retrying 2 or 3 times or reregistering a new certificate 2 or 3 times.

I've got the problem on 3 domains. 1 of them is a pointer, 1 has pointers and the 3rd is just a single domain.
But although 1 of the domains has pointers, these pointers aren't included in the certificate request so they should not be part of the problem.
Eventually, all of them end up with the same messages lilke below.

2021/03/03 00:37:39 [INFO] [somedomain.nl] acme: Checking DNS record propagation using [[2001:4860:4860::8888]:53]
2021/03/03 00:37:44 [INFO] Wait for propagation [timeout: 5m0s, interval: 5s]
2021/03/03 00:37:44 [INFO] [somedomain.nl] acme: Waiting for DNS record propagation.
2021/03/03 00:37:49 [INFO] [somedomain.nl] acme: Waiting for DNS record propagation.
...
2021/03/03 00:42:39 [INFO] [somedomain.nl] acme: Waiting for DNS record propagation.
2021/03/03 00:42:44 [INFO] [somedomain.nl] acme: Waiting for DNS record propagation.
2021/03/03 00:42:49 [INFO] [somedomain.nl] acme: Cleaning DNS-01 challenge
2021/03/03 00:42:54 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11268508361 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "0103nB9vpYuUecgL98ABImShQZ4RfU4E5o3MmYiFXbcooXs", url:
2021/03/03 00:42:54 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11268508361
2021/03/03 00:42:54 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11268508362
2021/03/03 00:42:54 Could not obtain certificates:
error: one or more domains had a problem:
[*.somedomain.nl] time limit exceeded: last error: read udp [2a01:7c8:d003:28:5054:ff:fe07:b8af]:35635->[2a01:7c8:d003:2a::44]:53: read: connection refused
[somedomain.nl] time limit exceeded: last error: read udp [2a01:7c8:d003:28:5054:ff:fe07:b8af]:60758->[2a01:7c8:d003:2a::44]:53: read: connection refused
Certificate generation failed.

A long list of "Waiting for DNS record propagation" messages and always "read: connection refused". Even with disabled firewall and non-wildcard certificates work without problems.
 
My issue is solved. The troublesome pointer is resolving now and an SSL cert was successfully generated.

Question: Do I need a certificate for a pointer? I noticed that when the pointer url is entered in a browser it is correctly redirected to the main domain (with a working certificate) all though it was not yet included in the wildcard ssl certificate.
 
Back
Top