LetsEncrypt Renewal Failure

stumac · July 28, 2020, 3:51pm

Ubuntu 18.04.4
Webmin 1.953
Virtualmin 6.10

Domain 398productions.co.uk SSL Cert due expiry 07/28/2020 06:00 approx, RENEWAL failure (plus failed previous attempts leading up to expiry date) had previously renewed OK
Last successful renewal 04/29/20208:47:26 AM

Checking /var/log/letsencrypt/letsencrypt.log extract:

Strict-Transport-Security: max-age=604800
{
“identifier”: {
“type”: “dns”,
“value”: “398productions.co.uk”
},
“status”: “invalid”,
“expires”: “2020-08-04T15:23:58Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “No TXT record found at _acme-challenge.398productions.co.uk”,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6167084778/nO8_cQ”,
“token”: “3SVt80MYX-HORLqwarom8iO08BWKLWyzjtoQH4lQmKE”
}
]
}
2020-07-28 16:24:29,459:DEBUG:acme.client:Storing nonce: 0001N-GCVlY9AYcuCFj3w7slTlEgXCjNQqF6mZf516Hk_i0
2020-07-28 16:24:29,460:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: 398productions.co.uk
Type: unauthorized
Detail: No TXT record found at _acme-challenge.398productions.co.uk
Domain: 398productions.co.uk
Type: unauthorized
Detail: No TXT record found at _acme-challenge.398productions.co.uk

Have tried various options, eg creating TXT record _acme-challenge with empty content

Have checked DNS Records with other domain idesigner.co.uk which auto-renewed 07/25/2020 - they match (exception of name of course)!
Have checked /.well-known/acme-challenge/1234.txt is OK, with permissions also good.
Extract above shows DNS check by LetsEncrypt which fails
Trawled this and LetsEncrypt forums to no avail - any help would be much appreciated

Thanks

ramin · July 28, 2020, 7:19pm

Since previous renewals went through your DNS is probably fine. I don’t know why certbot works fine at first but gets pickier come renewal time. Manually creating the TXT record mentioned in the error has worked for me before.

The value of the TXT record can’t be empty. It’s the ACME client account number (or token) and yours appears to be shown.

So the complete TXT record consists of

_acme-challenge.398productions.co.uk
3SVt80MYX-HORLqwarom8iO08BWKLWyzjtoQH4lQmKE

If you’re using BIND in Webmin to host your DNS, you only need to enter the _acme-challenge part before the dot in your DNS records in Virtualmin; the .398productions.co.uk part will be filled in already. The token goes in the text record box.

stumac · July 29, 2020, 10:18am

Hi Ramin

Tried suggestion creating TXT record _acme-challenge.398productions.co.uk
3SVt80MYX-HORLqwarom8iO08BWKLWyzjtoQH4lQmKE

Which failed, so looking at the /var/log/letsencypt/letsencrypt.log (extract)

Strict-Transport-Security: max-age=604800
{
“identifier”: {
“type”: “dns”,
“value”: “398productions.co.uk”
},
“status”: “invalid”,
“expires”: “2020-08-05T06:53:26Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Incorrect TXT record “3SVt80MYX-HORLqwarom8iO08BWKLWyzjtoQH4lQmKE” found at _acme-challenge.398productions.co.uk”,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6181346694/_lpB0w”,
“token”: “to4-PuQ9DiE9gJugzkmol6Z14LAc0dwC6OBE4sSM9LY”
}
]
}

And comparing it to the 2 other domain variations requested for the same certificate:

Strict-Transport-Security: max-age=604800
{
“identifier”: {
“type”: “dns”,
“value”: “www.398productions.co.uk”
},
“status”: “valid”,
“expires”: “2020-08-06T07:54:25Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “valid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/5717477995/7GAd-A”,
“token”: “Cppbr64Va-laHx7Gq1ChD7Qkfhod590KcFjJ-oXDG9w”,
“validationRecord”: [
{
“hostname”: “www.398productions.co.uk”
}
]
}
]
}

AND

Strict-Transport-Security: max-age=604800
{
“identifier”: {
“type”: “dns”,
“value”: “mail.398productions.co.uk”
},
“status”: “valid”,
“expires”: “2020-08-13T13:15:05Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “valid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/5876308278/C-SSBg”,
“token”: “nzWJam29vDpnTBFtu_K9qNQ0uAcemyncr66Rl1LRQFw”,
“validationRecord”: [
{
“hostname”: “mail.398productions.co.uk”
}
]
}
]
}

Concluded that the issue is to do with the DNS Records for 398productions.co.uk which is shown as “invalid” in the letsencrypt.log extract

ie a seperate “token” is issued for each
So removed the suggested TXT record for _acme-challenge on my linode DNS records, then requested a certificate for just www.398productions.co.uk and mail.398productions.co.uk and the certificate was issued!

Will try to asceration why Letsencrypt’s check thinks 398productions.co.uk is “invalid”

ramin · July 29, 2020, 12:36pm

Sounds like NS or A records weren’t resolving before. It’s too little too late now, but I bet 127.0.0.1 was missing from your resolver file. Glad to hear it’s working with LInode DNS.

system · August 28, 2020, 12:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.