Error during automated certificate renewal wildcard letsencrypt

P

Potusek

Verified User
Joined
Nov 10, 2021
Messages
9
At the turn of the year there was a directadmin update and problems with certificate renewals started to occur.
Found wildcard domain name and http challenge type, switching to dns-01 validation.
2024/02/24 00:11:52 [INFO] [*.domain.com, domain.com] acme: Obtaining SAN certificate
2024/02/24 00:11:53 [INFO] [*.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/318727169577
2024/02/24 00:11:53 [INFO] [domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/318727169587
2024/02/24 00:11:53 [INFO] [*.domain.com] acme: use dns-01 solver
2024/02/24 00:11:53 [INFO] [domain.com] acme: Could not find solver for: tls-alpn-01
2024/02/24 00:11:53 [INFO] [domain.com] acme: Could not find solver for: http-01
2024/02/24 00:11:53 [INFO] [domain.com] acme: use dns-01 solver
2024/02/24 00:11:53 [INFO] [*.domain.com] acme: Preparing to solve DNS-01
2024/02/24 00:11:53 [INFO] Found CNAME entry for "_acme-challenge.domain.com.": "domain.com."
2024/02/24 00:11:53 refusing to create DNS challenge record 'domain.com', missing _acme-challenge prefix
2024/02/24 00:11:53 [INFO] [*.domain.com] acme: Cleaning DNS-01 challenge
2024/02/24 00:11:53 [INFO] Found CNAME entry for "_acme-challenge.domain.com.": "domain.com."
2024/02/24 00:11:53 refusing to remove DNS challenge record 'domain.com', missing _acme-challenge prefix
2024/02/24 00:11:53 [WARN] [*.domain.com] acme: cleaning up failed: exec: exit status 1
2024/02/24 00:11:53 [INFO] [domain.com] acme: Preparing to solve DNS-01
2024/02/24 00:11:53 [INFO] Found CNAME entry for "_acme-challenge.domain.com.": "domain.com."
2024/02/24 00:11:53 refusing to create DNS challenge record 'domain.com', missing _acme-challenge prefix
2024/02/24 00:11:53 [INFO] [domain.com] acme: Cleaning DNS-01 challenge
2024/02/24 00:11:53 [INFO] Found CNAME entry for "_acme-challenge.domain.com.": "domain.com."
2024/02/24 00:11:53 refusing to remove DNS challenge record 'domain.com', missing _acme-challenge prefix
2024/02/24 00:11:53 [WARN] [domain.com] acme: cleaning up failed: exec: exit status 1
2024/02/24 00:11:53 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/318727169577
2024/02/24 00:11:54 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/318727169587
2024/02/24 00:11:54 Could not obtain certificates:
error: one or more domains had a problem:
[*.domain.com] [*.domain.com] acme: error presenting token: exec: exit status 1
[domain.com] [domain.com] acme: error presenting token: exec: exit status 1
Failed to issue new certificate
Click to expand...
I did not change the configuration of either the refresh or the DNS entries.
I noticed that the renewal runs correctly when I remove the * entry for the domain in the domain zone in ovh, but then the redirection to subdomains does not work :/
 
Maybe you were lucky it worked until now.
Code: 
Found CNAME entry for "_acme-challenge.domain.com.": "domain.com."
Never ever use a CNAME entry for a main domain name like domain.tld that's asking for problems.
 
Additionally, your PTR/rDNS record is not correct, that should point to a FQDN hostname and not to some domain name.
Next to that, you used "mail" as your hostname, also this is often asking for issues, because the mail name is used for mail normally so not the wisest choice either.

Additionally to the above. You are using external DNS (from OVH) so I hope LEGO is working correctly, because you need that if you want wildcard certificate. And ther is an important line there:
refusing to create DNS challenge record 'domain.com', missing _acme-challenge prefix
Click to expand...
 
Unfortunately I couldn't find it anywhere (or I don't know how to look).
How can the environment variable be set:
LEGO_DISABLE_CNAME_SUPPORT=true
because this in me solved the problem when in ovh w i have the domain configured:
Code: 
domain.com. A 123.123.123.123   
*.domain.com. CNAME domain.com.
LetsEncrypt request successful
 
I don't know. As far as I know LEGO just takes over what you have configured yourself in your DA DNS.
So if it has no CNAME in DA then it should not have a CNAME via LEGO either.
I don't even understand why you want to use CNAME for a main domain anyway, but it's your choice.

When looking at LEGO, probably that line can be set in the dnsprovider.conf file. But I'm not 100% sure.
 
You must log in or register to reply here.
Back
Top