Certs won't renew - HELP
-
One of our (paid) Cloud instances is refusing to update certs. Starting a couple of days ago. A manual refresh gets a lot of errors on the log. The client cannot log in - this is a big deal.
Where do I start?
filled with lines like this:
Dec 28 13:27:10 box:cert/acme2 sendSignedRequest: using nonce GJdccAF6CFXCywo_pgyPU5yKhGI7gls_ftlnroNQuIRwVCm8sb4 for url https://acme-v02.api.letsencrypt.org/acme/chall/1970589977/451963773075/ZgIswA
Dec 28 13:27:10 box:cert/acme2 waitForChallenge: status is "invalid" "{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1970589977/451963773075/ZgIswA","status":"invalid","validated":"2024-12-28T19:23:46Z","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record "dU24qPdE0kcVPGtd9z6Bf1KVFhUdUsO4QBFQPIpuXFc" found at _acme-challenge.fpiw-content.media","status":403},"token":"dDgFIftTVmWxvJ7vUeVLq-iux1rxrN_1-cw8SxaXWyU"}"
Dec 28 13:27:10 box:cert/acme2 Attempt 11 failed. Will retry: Unexpected status when waiting for challenge: invalid -
One of our (paid) Cloud instances is refusing to update certs. Starting a couple of days ago. A manual refresh gets a lot of errors on the log. The client cannot log in - this is a big deal.
Where do I start?
filled with lines like this:
Dec 28 13:27:10 box:cert/acme2 sendSignedRequest: using nonce GJdccAF6CFXCywo_pgyPU5yKhGI7gls_ftlnroNQuIRwVCm8sb4 for url https://acme-v02.api.letsencrypt.org/acme/chall/1970589977/451963773075/ZgIswA
Dec 28 13:27:10 box:cert/acme2 waitForChallenge: status is "invalid" "{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1970589977/451963773075/ZgIswA","status":"invalid","validated":"2024-12-28T19:23:46Z","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record "dU24qPdE0kcVPGtd9z6Bf1KVFhUdUsO4QBFQPIpuXFc" found at _acme-challenge.fpiw-content.media","status":403},"token":"dDgFIftTVmWxvJ7vUeVLq-iux1rxrN_1-cw8SxaXWyU"}"
Dec 28 13:27:10 box:cert/acme2 Attempt 11 failed. Will retry: Unexpected status when waiting for challenge: invalid@stevespaw said in Certs won't renew - HELP:
Dec 28 13:27:10 box:cert/acme2 waitForChallenge: status is "invalid" "{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1970589977/451963773075/ZgIswA","status":"invalid","validated":"2024-12-28T19:23:46Z","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record "dU24qPdE0kcVPGtd9z6Bf1KVFhUdUsO4QBFQPIpuXFc" found at _acme-challenge.fpiw-content.media","status":403},"token":"dDgFIftTVmWxvJ7vUeVLq-iux1rxrN_1-cw8SxaXWyU"}"
Dec 28 13:27:10 box:cert/acme2 Attempt 11 failed. Will retry: Unexpected status when waiting for challenge: invalidNot an expert when it comes to SSL but it looks like it's refusing to issue a new certificate because there is a text record DNS entry at
_acme-challenge.fpiw-content.media? Not sure why that would be an issue but a quick DNS check does yield a result there. Did you try deleting this entry and reissue? -
Nothing has changed from the initial install which went just fine several months ago - this just appeared.
@stevespaw Have you tried deleting this txt entry and reissuing the certificate?
-
No not yet - I have no idea how that would have happened. I currently do not have direct access to DNS records.
@stevespaw said in Certs won't renew - HELP:
No not yet - I have no idea how that would have happened. I currently do not have direct access to DNS records.
I assume this entry wasn't cleared properly after the last certificate was issued and is now preventing you from getting a new one
-
OK I have access to the GoDaddy account _ have deleted the TXT record and restarted - I keep seeing the TXT record change, buy I get errors that they don't match. This is now a big issue I need to solve, but I am not very knowledgeable on LetsEncrypt. Where do I go from here?
-
If you set up a new sub domain, do the certs work ok?
If so, then you can move the app from its current sub/domain to another temporary one. Validate it all works. Then move it back for a fresh set of certs.
-
If you set up a new sub domain, do the certs work ok?
within GoDaddy or a new app in Cloudron?
BTW even the main "my.xyz.com" is also failing. Currently 4 apps installed in Cloudron.
@stevespaw Cloudron.. as idk how you set up your DNS. Most folks here choose to have it automated by Cloudron.
For example, if you configure GoDaddy to use CloudFlare for DNS, then you can have Cloudron effortlessly auto manage DNS entries via Cloudflare integration.
-
Ouch this is bad news. We have custom apps that directly work with API's in these cloudron apps.
@stevespaw they'll still work, just on a different cloudron, right?
Containers for a reason.
-
Yes it is possible to migrate to another Cloudron, but what's to say that the SSL will work on a different cloudron to the same domain that is having issues?
@stevespaw testing.
-
So we have looked into this and it appears that LetsEncrypt does not see the TXT records (reporting a NXDOMAN) for those when directly talking to the GoDaddy nameservers. We have set the DNS backend to manual to fallback to the HTTP acme flow. That way the certs were refreshed fine.
Lets see if other GoDaddy users also face this, or if this is just a hiccup for those associated nameservers.
-
Unfortunately, we have lost the ability to test GoDaddy since they disabled API use for all customers having < 10 domains or something. See also https://www.reddit.com/r/godaddy/comments/1chs1j8/godaddy_access_denied_via_apicall/ . If anyone can reproduce this and can give us a test set up, happy to debug further.
