I've got a server which had an expired letsenrypt certificate. To fix that, I simply ran certbot --apache
which ran without problems and solved the expired certificate.
To prevent this problem in the future, I wanted to have the certificate automatically renew itself, so following the instructions here I ran certbot renew --dry-run
, but that ends in an error:
Attempting to renew cert from /etc/letsencrypt/renewal/cms.ourdomain.com.conf produced an unexpected error: Failed authorization procedure. cms.ourdomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for cms.ourdomain.com. Skipping.
Since certbot --apache
worked perfectly well I wouldn't know why this renewal would fail with a DNS problem. To be sure I ran certbot --apache
again to force and renew the cert again, which again worked fine. So nothing seems to be wrong with the DNS.
Does anybody know what could be the cause of this problem or how I can debug this? All tips are welcome!
From what I have seen, certbot
and certbot --apache
actually take some significantly different code paths. Perhaps try certbot --apache --dryrun
?
Incidentally, I have given up on the Apache specific implementation. I have found that stopping apache and running certbot certonly --standalone -d example.com
does a good job of generating keys and certs (point to them manually in your apache config) and then certbot renew
with pre and post hook scripts in /etc/letsencrypt/renewal-hooks/{pre|post}/apache2.sh
to stop and start apache works really well.
My scripts look like:
#!/bin/bash
# certbot pre renewal
# stop apache
systemctl stop apache2
sleep 5s
#!/bin/bash
# certbot post renewal
# start apache
systemctl start apache2
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.