LetsEncrypt Issue
- Thread starter AidySmith
- Start date
LawsHosting
Verified User
Would help if you could tell us the domain in question.
ozgurerdogan
Verified User
- Joined
- Apr 20, 2008
- Messages
- 343
I am having the same issue. With many domains. A record exists but LE can not verify it. Any more idea?
I am having to error at https://letsdebug.net/
I am having to error at https://letsdebug.net/
Last edited:
What did the error tell ?
ozgurerdogan
Verified User
- Joined
- Apr 20, 2008
- Messages
- 343
This is error:
But no error on debug:
2021/02/08 18:34:49 [INFO] [mail.aysegulkose.com] acme: Obtaining SAN certificate
2021/02/08 18:34:49 [INFO] [mail.aysegulkose.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10705361921
2021/02/08 18:34:49 [INFO] [mail.aysegulkose.com] acme: Could not find solver for: tls-alpn-01
2021/02/08 18:34:49 [INFO] [mail.aysegulkose.com] acme: use http-01 solver
2021/02/08 18:34:49 [INFO] [mail.aysegulkose.com] acme: Trying to solve HTTP-01
2021/02/08 18:35:42 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10705361921
2021/02/08 18:35:43 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10705361921
2021/02/08 18:35:43 Could not obtain certificates:
error: one or more domains had a problem:
[mail.aysegulkose.com] acme: error: 400 :: urn:ietfarams:acme:error:dns :: During secondary validation: DNS problem: SERVFAIL looking up A for mail.aysegulkose.com - the domain's nameservers may be malfunctioning, url:
Certificate generation failed.
But no error on debug:
Test result for mail.aysegulkose.com: Warning
1 unique issue(s) detected (InternalProblem)
letsdebug.net
Have you tried again? It seems like a DNS problem maybe you need to wait till the DNS propagate correctly.
BlackThorn
Verified User
I'm experiencong a problem issuing LE certificate:
==========
2021/02/19 19:08:24 [INFO] [test2.akademiapomyslow.pl, www.test2.akademiapomyslow.pl] acme: Obtaining SAN certificate
2021/02/19 19:08:25 [INFO] [test2.akademiapomyslow.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10433354008
2021/02/19 19:08:25 [INFO] [www.test2.akademiapomyslow.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10999286721
2021/02/19 19:08:25 [INFO] [www.test2.akademiapomyslow.pl] acme: authorization already valid; skipping challenge
2021/02/19 19:08:25 [INFO] [test2.akademiapomyslow.pl] acme: Could not find solver for: tls-alpn-01
2021/02/19 19:08:25 [INFO] [test2.akademiapomyslow.pl] acme: use http-01 solver
2021/02/19 19:08:25 [INFO] [test2.akademiapomyslow.pl] acme: Trying to solve HTTP-01
2021/02/19 19:08:26 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10433354008
2021/02/19 19:08:26 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10999286721
2021/02/19 19:08:26 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10999286721
2021/02/19 19:08:26 Could not obtain certificates:
error: one or more domains had a problem:
[test2.akademiapomyslow.pl] acme: error: 400 :: urn:ietfarams:acme:error:dns :: DNS problem: SERVFAIL looking up A for test2.akademiapomyslow.pl - the domain's nameservers may be malfunctioning, url:
Certificate generation failed.
==================
is it on LE or DNS server side?
==========
2021/02/19 19:08:24 [INFO] [test2.akademiapomyslow.pl, www.test2.akademiapomyslow.pl] acme: Obtaining SAN certificate
2021/02/19 19:08:25 [INFO] [test2.akademiapomyslow.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10433354008
2021/02/19 19:08:25 [INFO] [www.test2.akademiapomyslow.pl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10999286721
2021/02/19 19:08:25 [INFO] [www.test2.akademiapomyslow.pl] acme: authorization already valid; skipping challenge
2021/02/19 19:08:25 [INFO] [test2.akademiapomyslow.pl] acme: Could not find solver for: tls-alpn-01
2021/02/19 19:08:25 [INFO] [test2.akademiapomyslow.pl] acme: use http-01 solver
2021/02/19 19:08:25 [INFO] [test2.akademiapomyslow.pl] acme: Trying to solve HTTP-01
2021/02/19 19:08:26 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10433354008
2021/02/19 19:08:26 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10999286721
2021/02/19 19:08:26 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10999286721
2021/02/19 19:08:26 Could not obtain certificates:
error: one or more domains had a problem:
[test2.akademiapomyslow.pl] acme: error: 400 :: urn:ietf
arams:acme:error:dns :: DNS problem: SERVFAIL looking up A for test2.akademiapomyslow.pl - the domain's nameservers may be malfunctioning, url: Certificate generation failed.
==================
is it on LE or DNS server side?
It in the error..
Maybe the domain is not fully propagated?
What does intodns.com show you?
I don't see an error on
intodns.com
whereas for https://intodns.com/akademiapomyslow.pl
intoDNS: - check DNS server and mail server health
intoDNS: Checking health and configurtion of DNS server and mail server for domain.
whereas for https://intodns.com/akademiapomyslow.pl
| DNS servers responded | ERROR: One or more of your nameservers did not respond: The ones that did not respond are: 108.162.193.160 108.162.192.238 |
| Missing nameservers reported by your nameservers | ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are: vita.ns.cloudflare.com drew.ns.cloudflare.com This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example). |
Dannik
Verified User
Hi all,
I experience quite some problems with Let's Encrypt as well. Since a week or so both my 2 servers report problems the wildcard certificates cannot be renewed. I checked all domains on intodns.com and ipv6-test.com. If there were any, I fixed the problems. However, LE still refuses to renew the certificates.
Some logs:
After that I disabled IPv6 in directadmin.conf and restarted DirectAdmin. Again, with the same result. And very strange, the first time I tried to renew (or create) a LE certificate the logs showed the IPv4 address, but the second time IPv6 showed up again!
Renewal or creation of a new certificate without wildcard seems to work normally...
I'm running CentOS 7 on one server and Cloudlinux 7 on the other and everything is configured/installed using CustomBuild. Ofcourse the systems are up-to-date.
Does anyone have a clue?
Regards,
Danny
I experience quite some problems with Let's Encrypt as well. Since a week or so both my 2 servers report problems the wildcard certificates cannot be renewed. I checked all domains on intodns.com and ipv6-test.com. If there were any, I fixed the problems. However, LE still refuses to renew the certificates.
Some logs:
At first I thought it had to do with IPv6 and/or the firewall. So I turned off the firewall (CSF) en removed all IPv6 adresses in the DNS, but this didn't solve anything.Found wildcard domain name and http challenge type, switching to dns-01 validation.
2021/02/28 01:02:11 [INFO] [*.somedomain.com, somedomain.com] acme: Obtaining SAN certificate
2021/02/28 01:02:12 [INFO] [*.somedomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11195633723
2021/02/28 01:02:12 [INFO] [somedomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11195633725
2021/02/28 01:02:12 [INFO] [*.somedomain.com] acme: use dns-01 solver
2021/02/28 01:02:12 [INFO] [somedomain.com] acme: Could not find solver for: tls-alpn-01
2021/02/28 01:02:12 [INFO] [somedomain.com] acme: Could not find solver for: http-01
2021/02/28 01:02:12 [INFO] [somedomain.com] acme: use dns-01 solver
2021/02/28 01:02:12 [INFO] [*.somedomain.com] acme: Preparing to solve DNS-01
2021/02/28 01:02:15 [INFO] [*.somedomain.com] acme: Trying to solve DNS-01
2021/02/28 01:02:15 [INFO] [*.somedomain.com] acme: Checking DNS record propagation using [[2001:4860:4860::8888]:53]
2021/02/28 01:02:20 [INFO] Wait for propagation [timeout: 5m0s, interval: 5s]
2021/02/28 01:02:20 [INFO] [*.somedomain.com] acme: Waiting for DNS record propagation.
... this repeats about 60 times during 5 minutes
2021/02/28 01:07:17 [INFO] [*.somedomain.com] acme: Waiting for DNS record propagation.
2021/02/28 01:07:22 [INFO] [*.somedomain.com] acme: Cleaning DNS-01 challenge
2021/02/28 01:07:24 [INFO] [somedomain.com] acme: Preparing to solve DNS-01
2021/02/28 01:07:27 [INFO] [somedomain.com] acme: Trying to solve DNS-01
2021/02/28 01:07:27 [INFO] [somedomain.com] acme: Checking DNS record propagation using [[2001:4860:4860::8888]:53]
2021/02/28 01:07:32 [INFO] Wait for propagation [timeout: 5m0s, interval: 5s]
2021/02/28 01:07:32 [INFO] [somedomain.com] acme: Waiting for DNS record propagation.
... this also repeats about 60 times during 5 minutes
2021/02/28 01:12:32 [INFO] [somedomain.com] acme: Waiting for DNS record propagation.
2021/02/28 01:12:37 [INFO] [somedomain.com] acme: Cleaning DNS-01 challenge
2021/02/28 01:12:41 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11195633723 :: urn:ietf
2021/02/28 01:12:41 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11195633723
2021/02/28 01:12:42 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11195633725
2021/02/28 01:12:42 Could not obtain certificates:
error: one or more domains had a problem:
[*.somedomain.com] time limit exceeded: last error: read udp [2a01:7c8:d003:2a::44]:45781->[2a01:7c8:d003:2a::44]:53: read: connection refused
[somedomain.com] time limit exceeded: last error: read udp [2a01:7c8:d003:2a::44]:54796->[2a01:7c8:d003:2a::44]:53: read: connection refused
Certificate generation failed.
After that I disabled IPv6 in directadmin.conf and restarted DirectAdmin. Again, with the same result. And very strange, the first time I tried to renew (or create) a LE certificate the logs showed the IPv4 address, but the second time IPv6 showed up again!
Renewal or creation of a new certificate without wildcard seems to work normally...
I'm running CentOS 7 on one server and Cloudlinux 7 on the other and everything is configured/installed using CustomBuild. Ofcourse the systems are up-to-date.
Does anyone have a clue?
Regards,
Danny
Wanabo
Verified User
Here as well. 
Current version
#VERSION=2.0.12
I believe this error was thrown with the version before VERSION=2.0.12
After that I noticed an update of letsencrypt to VERSION=2.0.12
So I tried a manual renewal of the cert through the web gui.
Found wildcard domain name and http challenge type, switching to dns-01 validation.
CAA record prevents issuing the certificate: SERVFAIL
Never had the CAA record issue before all though I read about it here in the forums.
Will do a search here on the forums to see if the CAA record issue is solved and is a solution for me.
Edit: Perhaps it's relevant to mention that this domain was recently moved from one user to an other user using old user backup and restoring in the other user account.
Current version
#VERSION=2.0.12
I believe this error was thrown with the version before VERSION=2.0.12
Error during automated certificate renewal for ****.nl
2021-03-01 04:22Found wildcard domain name and http challenge type, switching to dns-01 validation.
CAA record prevents issuing the certificate: SERVFAILAfter that I noticed an update of letsencrypt to VERSION=2.0.12
So I tried a manual renewal of the cert through the web gui.
Error with LetsEncrypt request
2021-03-01 14:04Found wildcard domain name and http challenge type, switching to dns-01 validation.
CAA record prevents issuing the certificate: SERVFAIL
Never had the CAA record issue before all though I read about it here in the forums.
Will do a search here on the forums to see if the CAA record issue is solved and is a solution for me.
Edit: Perhaps it's relevant to mention that this domain was recently moved from one user to an other user using old user backup and restoring in the other user account.
Last edited:
Dannik
Verified User
The updates on my servers were a little out of date due to circumstances, I was running version 2.0.10 a little longer when the problem started. But updating to 2.0.12 didn't solve the problem. I have my doubts if this is related to DirectAdmin (or better: the Let's Encrypt script) or Let's Encrypt. Because only few reports about this problem van be found on Google, I'm inclined to think that the problem is with DirectAdmin/the script.Here as well.
Current version
#VERSION=2.0.12
I believe this error was thrown with the version before VERSION=2.0.12
Offtopic: another strange thing with CB is the logs cannot be opened anymore on 1 of my servers:
Regards,
Danny
Wanabo
Verified User
Been testing like a madman and got some progress.
Downgraded letsencrypt step by step and went three versions back but error still exists.
Tried to add CAA records, but there was no option in the dns add record. Added dns_caa=1 to directadmin.conf and added mydomain.nl. CAA 0 issue "letsencrypt.org", but error still exists.
Removed pointers (not an alias) of the troublesome domain and my wildcard cert was issued without a problem.
Added the domain pointers again and the error pops up again.
Seems 1 of the pointers did not had the correct nameservers set. So will try tomorrow again to give dns propagation some time to catch up.
Downgraded letsencrypt step by step and went three versions back but error still exists.
Tried to add CAA records, but there was no option in the dns add record. Added dns_caa=1 to directadmin.conf and added mydomain.nl. CAA 0 issue "letsencrypt.org", but error still exists.
Removed pointers (not an alias) of the troublesome domain and my wildcard cert was issued without a problem.
Added the domain pointers again and the error pops up again.
Seems 1 of the pointers did not had the correct nameservers set. So will try tomorrow again to give dns propagation some time to catch up.
Dannik
Verified User
Earlier I experienced the CAA records problem too. Most times it appeared to be the NS servers which could be slightly different configured compared with the ones registered with the domain (SIDN). ie: ns1.domain.nl instead of ns01.domain.nl, while both ns1 and ns01 do exist and everything works just fine. But eventually the messages disappeared after retrying 2 or 3 times or reregistering a new certificate 2 or 3 times.
I've got the problem on 3 domains. 1 of them is a pointer, 1 has pointers and the 3rd is just a single domain.
But although 1 of the domains has pointers, these pointers aren't included in the certificate request so they should not be part of the problem.
Eventually, all of them end up with the same messages lilke below.
A long list of "Waiting for DNS record propagation" messages and always "read: connection refused". Even with disabled firewall and non-wildcard certificates work without problems.
I've got the problem on 3 domains. 1 of them is a pointer, 1 has pointers and the 3rd is just a single domain.
But although 1 of the domains has pointers, these pointers aren't included in the certificate request so they should not be part of the problem.
Eventually, all of them end up with the same messages lilke below.
2021/03/03 00:37:39 [INFO] [somedomain.nl] acme: Checking DNS record propagation using [[2001:4860:4860::8888]:53]
2021/03/03 00:37:44 [INFO] Wait for propagation [timeout: 5m0s, interval: 5s]
2021/03/03 00:37:44 [INFO] [somedomain.nl] acme: Waiting for DNS record propagation.
2021/03/03 00:37:49 [INFO] [somedomain.nl] acme: Waiting for DNS record propagation.
...
2021/03/03 00:42:39 [INFO] [somedomain.nl] acme: Waiting for DNS record propagation.
2021/03/03 00:42:44 [INFO] [somedomain.nl] acme: Waiting for DNS record propagation.
2021/03/03 00:42:49 [INFO] [somedomain.nl] acme: Cleaning DNS-01 challenge
2021/03/03 00:42:54 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11268508361 :: urn:ietf
2021/03/03 00:42:54 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11268508361
2021/03/03 00:42:54 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11268508362
2021/03/03 00:42:54 Could not obtain certificates:
error: one or more domains had a problem:
[*.somedomain.nl] time limit exceeded: last error: read udp [2a01:7c8:d003:28:5054:ff:fe07:b8af]:35635->[2a01:7c8:d003:2a::44]:53: read: connection refused
[somedomain.nl] time limit exceeded: last error: read udp [2a01:7c8:d003:28:5054:ff:fe07:b8af]:60758->[2a01:7c8:d003:2a::44]:53: read: connection refused
Certificate generation failed.
A long list of "Waiting for DNS record propagation" messages and always "read: connection refused". Even with disabled firewall and non-wildcard certificates work without problems.
Wanabo
Verified User
My issue is solved. The troublesome pointer is resolving now and an SSL cert was successfully generated.
Question: Do I need a certificate for a pointer? I noticed that when the pointer url is entered in a browser it is correctly redirected to the main domain (with a working certificate) all though it was not yet included in the wildcard ssl certificate.
Question: Do I need a certificate for a pointer? I noticed that when the pointer url is entered in a browser it is correctly redirected to the main domain (with a working certificate) all though it was not yet included in the wildcard ssl certificate.