Let's encrypt certbot neues Zertifikat erstellen

wintermute_3dc

Admiral Special
Mitglied seit
24.10.2004
Beiträge
1.493
Renomée
84
  • Spinhenge ESL
  • Docking@Home
  • BOINC Pentathlon 2011
  • BOINC Pentathlon 2012
  • BOINC Pentathlon 2013
  • BOINC Pentathlon 2014
  • BOINC Pentathlon 2015
Mein kleiner (virtueller) Server benötigt ein neues Zertifikat. Normalerweise hat der certbot dies automatisch gemacht bis jetzt.
certbot renew --dry-run liefert zurück:
Code:
aving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/NAME.unitymedia.biz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for NAME.unitymedia.biz
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (NAME.unitymedia.biz) from /etc/letsencrypt/renewal/NAME.unitymedia.biz.conf produced an unexpected error: Failed authorization procedure. NAME.unitymedia.biz (tls-sni-01): urn:ietf:params:acme:error:caa :: CAA record for NAME.unitymedia.biz prevents issuance. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/NAME.unitymedia.biz/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/NAME.unitymedia.biz/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: NAME.unitymedia.biz
   Type:   None
   Detail: CAA record for NAME.unitymedia.biz prevents
   issuance

Wenn ich meinen Domainname mit https://www.ssllabs.com/ssltest/ teste bekomme ich als Ergebnis
DNS CAA Yes
policy host: unitymedia.biz
issuewild: ; flags:0
iodef: mailto:pki@libertyglobal.com flags:0
issue: globalsign.com flags:0

Insoweit sollte der CAA-Record prinzipiell vorhanden sein, oder?
Hat jemand einen Tip mich wo wie was das Problem ist und wie ich mein Zertifikat erneuern kann?
Als OS verwende ich CentOS, Firewall ist ipcop.

Vorab danke für die Hilfe
 
Mein kleiner (virtueller) Server benötigt ein neues Zertifikat. Normalerweise hat der certbot dies automatisch gemacht bis jetzt.
certbot renew --dry-run liefert zurück:
Code:
aving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/NAME.unitymedia.biz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for NAME.unitymedia.biz
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (NAME.unitymedia.biz) from /etc/letsencrypt/renewal/NAME.unitymedia.biz.conf produced an unexpected error: Failed authorization procedure. NAME.unitymedia.biz (tls-sni-01): urn:ietf:params:acme:error:caa :: CAA record for NAME.unitymedia.biz prevents issuance. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/NAME.unitymedia.biz/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/NAME.unitymedia.biz/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: NAME.unitymedia.biz
   Type:   None
   Detail: CAA record for NAME.unitymedia.biz prevents
   issuance

Wenn ich meinen Domainname mit https://www.ssllabs.com/ssltest/ teste bekomme ich als Ergebnis
DNS CAA Yes
policy host: unitymedia.biz
issuewild: ; flags:0
iodef: mailto:pki@libertyglobal.com flags:0
issue: globalsign.com flags:0

Insoweit sollte der CAA-Record prinzipiell vorhanden sein, oder?
Hat jemand einen Tip mich wo wie was das Problem ist und wie ich mein Zertifikat erneuern kann?
Als OS verwende ich CentOS, Firewall ist ipcop.

Vorab danke für die Hilfe

Schau mal, ob dir das hilft: https://github.com/certbot/certbot/issues/4827
 
Zurück
Oben Unten