Problem renewing certificate (I think?) for a domain


(Raphael Kabo) #1

I restarted Caddy and I think it’s now failing to renew a certificate, though honestly I don’t understand these logs. Here is the relevant section of journalctl -xe, let me know if I can get more logs somewhere, or if this is a very simple problem with a very simple solution.

Mar 13 14:36:28 caddy caddy[4069]: 2019/03/13 14:36:28 [INFO] Certificate for [subdomain.domain.com] expires in 571h44m56.853623603s; attempting renewal
Mar 13 14:36:28 caddy caddy[4069]: 2019/03/13 14:36:28 [INFO] [subdomain.domain.com] acme: Trying renewal with 571 hours remaining
Mar 13 14:36:28 caddy caddy[4069]: 2019/03/13 14:36:28 [INFO] [subdomain.domain.com] acme: Obtaining bundled SAN certificate
Mar 13 14:36:29 caddy caddy[4069]: 2019/03/13 14:36:29 [INFO] [subdomain.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/LXkOcPQXUjNx6x9-8L1SsMEGY67zL3sd4r6m0jxet
Mar 13 14:36:29 caddy caddy[4069]: 2019/03/13 14:36:29 [INFO] [subdomain.domain.com] acme: Could not find solver for: tls-sni-01
Mar 13 14:36:29 caddy caddy[4069]: 2019/03/13 14:36:29 [INFO] [subdomain.domain.com] acme: use tls-alpn-01 solver
Mar 13 14:36:29 caddy caddy[4069]: 2019/03/13 14:36:29 [INFO] [subdomain.domain.com] acme: Trying to solve TLS-ALPN-01
Mar 13 14:36:35 caddy caddy[4069]: 2019/03/13 14:36:35 [ERROR] Renewing [subdomain.domain.com]: acme: Error -> One or more domains had a problem:
Mar 13 14:36:35 caddy caddy[4069]: [subdomain.domain.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for subdomain.domain.com, url:
Mar 13 14:36:35 caddy caddy[4069]: ; trying again in 10s
Mar 13 14:36:45 caddy caddy[4069]: 2019/03/13 14:36:45 [INFO] [subdomain.domain.com] acme: Trying renewal with 571 hours remaining
Mar 13 14:36:45 caddy caddy[4069]: 2019/03/13 14:36:45 [INFO] [subdomain.domain.com] acme: Obtaining bundled SAN certificate
Mar 13 14:36:46 caddy caddy[4069]: 2019/03/13 14:36:46 [INFO] [subdomain.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/dzWSagP6cYsPcW5SnrV6zhqWodDfPc2IvdQnHsDu4
Mar 13 14:36:46 caddy caddy[4069]: 2019/03/13 14:36:46 [INFO] [subdomain.domain.com] acme: Could not find solver for: tls-sni-01
Mar 13 14:36:46 caddy caddy[4069]: 2019/03/13 14:36:46 [INFO] [subdomain.domain.com] acme: use tls-alpn-01 solver
Mar 13 14:36:46 caddy caddy[4069]: 2019/03/13 14:36:46 [INFO] [subdomain.domain.com] acme: Trying to solve TLS-ALPN-01
Mar 13 14:36:47 caddy sshd[4310]: Received disconnect from 162.241.178.219 port 45768:11: Bye Bye [preauth]
Mar 13 14:36:47 caddy sshd[4310]: Disconnected from authenticating user root 162.241.178.219 port 45768 [preauth]
Mar 13 14:36:53 caddy caddy[4069]: 2019/03/13 14:36:53 [ERROR] Renewing [subdomain.domain.com]: acme: Error -> One or more domains had a problem:
Mar 13 14:36:53 caddy caddy[4069]: [subdomain.domain.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for subdomain.domain.com, url:
Mar 13 14:36:53 caddy caddy[4069]: ; trying again in 10s
Mar 13 14:36:58 caddy kernel: [UFW BLOCK] IN=ens3 OUT= MAC=a6:c7:32:ea:28:79:5c:45:27:79:03:30:08:00 SRC=164.52.24.165 DST=178.62.39.242 LEN=44 TOS=0x00 PREC=0x00 TTL=241 ID=54
Mar 13 14:36:58 caddy kernel: [UFW BLOCK] IN=ens3 OUT= MAC=a6:c7:32:ea:28:79:5c:45:27:79:03:30:08:00 SRC=164.52.24.165 DST=178.62.39.242 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=54
Mar 13 14:36:58 caddy kernel: [UFW BLOCK] IN=ens3 OUT= MAC=a6:c7:32:ea:28:79:40:a6:77:42:b3:f0:08:00 SRC=185.254.122.8 DST=178.62.39.242 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=47
Mar 13 14:36:59 caddy kernel: [UFW BLOCK] IN=ens3 OUT= MAC=a6:c7:32:ea:28:79:5c:45:27:79:03:30:08:00 SRC=185.254.122.8 DST=178.62.39.242 LEN=40 TOS=0x00 PREC=0x20 TTL=246 ID=65
Mar 13 14:37:03 caddy caddy[4069]: 2019/03/13 14:37:03 [ERROR] too many renewal attempts; last error: acme: Error -> One or more domains had a problem:
Mar 13 14:37:03 caddy caddy[4069]: [subdomain.domain.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for subdomain.domain.com, url:
Mar 13 14:37:03 caddy caddy[4069]: 2019/03/13 14:37:03 [INFO] Reloading complete

I am also happy to share the address if it might be an issue with the certificates or DNS for this particular domain. subdomain.domain.com has worked previously with no issues, and domain.com works fine.


(Conor Burns) #2

Try dig subdomain.domain.com
Acme responds with nxdomain which tells you that it doesn’t find that domain

Edit: there are online tools to look up DNS propagation


(Matthew Fay) #3

NXDOMAIN means that LetsEncrypt’s DNS resolvers think your domain is no longer registered.


(Raphael Kabo) #4

You’re both completely right, it was a nameserver problem which somehow… materialised. Thank you!