Server refuses to renew ssl certificate

S

samuelmf

Verified User
Joined
Jul 30, 2021
Messages
165
Hi guys, by any reason my server is not able to auto renew the letsencrypt cert automatically and i refuses to renew if i do it manually, is there any way to fix this?
Where i can take a look for the exact reason for it?
Thanks in advance

Edit:
I get this error on my message center
Found wildcard domain name and http challenge type, switching to dns-01 validation.
CAA record prevents issuing the certificate: SERVFAIL
 
Last edited:
samuelmf said:
CAA record prevents issuing the certificate: SERVFAIL
Click to expand...
This says it all. Seems somewhere in your DNS there is a CAA entry which prevents the renewal.
There is too little information to see what or why it's blocking the renewal.

It might look like this:
domain.com. 3600 IN CAA 128 issue "letsencrypt.org"
or
domain.com. 3600 IN CAA 0 iodef "[email protected]"

In any case it's a CAA record in DNS. Probably something is wrong with yours. So you best remove it and then try again to renew.
 
Hi @Richard G Thanks for reply, i dont have any similar record on my dns zone
1705791446410.png
 
Additionally. This can also happen if you are using DNSSEC and something with the DNSSEC key is not good.
It can also be nameservers of the domain are still pointing to an older nameserver at the registrar? Those kind of things.
 
This server have 1 and half year working, and all was working normal, i use my own ns1 and ns2.
Suddenly it started with the auto renew problem for the ssls.
 
Could also be a temporary problem.

Try restarting directadmin, named and httpd (if you are running httpd) and see if that helps.

If this is just today, then I would have a look tomorrow. If this is happening multple days, then I don't know anything except for what I alread mentioned, somebody else might have another idea or you have to send in a ticket for this or ask over at Letsencrypt.
 
I performed this commands:

cd /usr/local/directadmin
echo `date +%s --date='61 days ago'` > "data/users/admin/domains/domain.com.cert.creation_time"
/usr/local/directadmin/directadmin taskq --run 'action=rewrite&value=letsencrypt&domain=domain.com' --debug 3100

1705794854620.png


Do you see any abnormal on that output?
 
samuelmf said:
Do you see any abnormal on that output?
Click to expand...
Except for the fact that you have a customisation, not really. And it looks you have exceeded the attempts you can try at this moment.

However, I did a check and seems your nameserver (you only have 1) is not responding.
Check this (click).
However, from my system it does answer and resolve. But if you check your DNS propagation you will see that it has bad propagation.
Also Google and Cloudfare DNS do not "see" your nameserver.

So this propagation issue, could be very well the cause that you can not issue wildcard certificates.
You have to fix that propagation issue.
 
Thanks for reply
It seems so strange to me because until before the expiration and failure of that certificate to renew, everything was working correctly.
I haven't moved anything to my dns configuration and suddenly now intodns gives me those red errors with the nameservers

1705801068731.png

This is my zone configuration for my domain, it is the same as when i setup the server
If i ping my ns1 and ns2 them respond correctly with the same ip.
I have double check my glue records and all seems fine
1705802380208.png

At this point idk what is causing those red errors on intodns
 
Last edited:
You must log in or register to reply here.
Back
Top