Certificate cannot be renewed for subdomains of subdomains only

Tio · March 8, 2023, 1:47pm

My YunoHost server

Hardware: VPS bought online
YunoHost version: 11.1.13
I have access to my server : Through SSH | through the webadmin |
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

It is weird that for the past few weeks I keep on receiving these emails for 3 of my subdomains:


An attempt for renewing the certificate for domain www.directory.trade-free.org failed with the following
error :

There is no diagnosis result for domain www.directory.trade-free.org yet. Please re-run a diagnosis for categories 'DNS records' and 'Web' in the diagnosis section to check if the domain is ready for Let's Encrypt. (Or if you know what you are doing, use '--no-checks' to turn off these checks.)


Here's the tail of /var/log/yunohost/yunohost-cli.log, which might help to
investigate :

2023-03-08 06:10:39,718 DEBUG    moulinette.core acquire - lock has been acquired
2023-03-08 06:10:39,842 DEBUG    moulinette.actionsmap process - loading python module yunohost.dyndns took 0.123s
2023-03-08 06:10:39,842 DEBUG    moulinette.actionsmap process - processing action [896114.1]: yunohost.dyndns.update with args={'domain': None, 'force': False, 'dry_run': False}
2023-03-08 06:10:39,851 DEBUG    yunohost.utils.network (unknown function) - Fetching IP from https://ip.yunohost.org 
2023-03-08 06:10:39,854 DEBUG    urllib3.connectionpool (unknown function) - Starting new HTTPS connection (1): ip.yunohost.org:443
2023-03-08 06:10:39,971 DEBUG    urllib3.connectionpool (unknown function) - https://ip.yunohost.org:443 "GET / HTTP/1.1" 200 13
2023-03-08 06:10:39,974 DEBUG    yunohost.utils.network (unknown function) - IP fetched: 161.97.165.76
2023-03-08 06:10:39,987 DEBUG    yunohost.utils.network (unknown function) - Fetching IP from https://ip6.yunohost.org 
2023-03-08 06:10:39,989 DEBUG    urllib3.connectionpool (unknown function) - Starting new HTTPS connection (1): ip6.yunohost.org:443
2023-03-08 06:10:40,087 DEBUG    urllib3.connectionpool (unknown function) - https://ip6.yunohost.org:443 "GET / HTTP/1.1" 200 22
2023-03-08 06:10:40,089 DEBUG    yunohost.utils.network (unknown function) - IP fetched: 2a02:c206:2051:7165::1
2023-03-08 06:10:40,090 DEBUG    yunohost.dyndns (unknown function) - [896114.1] Building zone update ...
2023-03-08 06:10:40,127 DEBUG    yunohost.dyndns (unknown function) - [896114.1] Old IPv4/v6 are (161.97.165.76, 2a02:c206:2051:7165::1)
2023-03-08 06:10:40,127 DEBUG    yunohost.dyndns (unknown function) - [896114.1] Requested IPv4/v6 are (161.97.165.76, 2a02:c206:2051:7165::1)
2023-03-08 06:10:40,127 INFO     yunohost.dyndns (unknown function) - [896114.1] No updated needed.
2023-03-08 06:10:40,127 DEBUG    moulinette.actionsmap process - action [896114.1] executed in 0.285s
2023-03-08 06:10:40,127 DEBUG    moulinette.core release - lock has been released
2023-03-08 06:20:33,653 DEBUG    moulinette.interface __init__ - initializing base actions map parser for cli
2023-03-08 06:20:33,654 DEBUG    moulinette.actionsmap __init__ - loading actions map
2023-03-08 06:20:33,655 DEBUG    moulinette.actionsmap _construct_parser - building parser...
2023-03-08 06:20:33,657 DEBUG    moulinette.actionsmap _construct_parser - building parser took 0.002s
2023-03-08 06:20:33,657 DEBUG    moulinette.core acquire - acquiring lock...
2023-03-08 06:20:33,666 DEBUG    moulinette.core acquire - lock has been acquired
2023-03-08 06:20:33,811 DEBUG    moulinette.actionsmap process - loading python module yunohost.dyndns took 0.145s
2023-03-08 06:20:33,811 DEBUG    moulinette.actionsmap process - processing action [897269.1]: yunohost.dyndns.update with args={'domain': None, 'force': False, 'dry_run': False}
2023-03-08 06:20:33,827 DEBUG    yunohost.utils.network (unknown function) - Fetching IP from https://ip.yunohost.org 
2023-03-08 06:20:33,830 DEBUG    urllib3.connectionpool (unknown function) - Starting new HTTPS connection (1): ip.yunohost.org:443
2023-03-08 06:20:33,943 DEBUG    urllib3.connectionpool (unknown function) - https://ip.yunohost.org:443 "GET / HTTP/1.1" 200 13
2023-03-08 06:20:33,946 DEBUG    yunohost.utils.network (unknown function) - IP fetched: 161.97.165.76
2023-03-08 06:20:33,953 DEBUG    yunohost.utils.network (unknown function) - Fetching IP from https://ip6.yunohost.org 
2023-03-08 06:20:33,954 DEBUG    urllib3.connectionpool (unknown function) - Starting new HTTPS connection (1): ip6.yunohost.org:443
2023-03-08 06:20:34,056 DEBUG    urllib3.connectionpool (unknown function) - https://ip6.yunohost.org:443 "GET / HTTP/1.1" 200 22
2023-03-08 06:20:34,057 DEBUG    yunohost.utils.network (unknown function) - IP fetched: 2a02:c206:2051:7165::1
2023-03-08 06:20:34,058 DEBUG    yunohost.dyndns (unknown function) - [897269.1] Building zone update ...
2023-03-08 06:20:34,129 DEBUG    yunohost.dyndns (unknown function) - [897269.1] Old IPv4/v6 are (161.97.165.76, 2a02:c206:2051:7165::1)
2023-03-08 06:20:34,129 DEBUG    yunohost.dyndns (unknown function) - [897269.1] Requested IPv4/v6 are (161.97.165.76, 2a02:c206:2051:7165::1)
2023-03-08 06:20:34,130 INFO     yunohost.dyndns (unknown function) - [897269.1] No updated needed.
2023-03-08 06:20:34,130 DEBUG    moulinette.actionsmap process - action [897269.1] executed in 0.318s
2023-03-08 06:20:34,130 DEBUG    moulinette.core release - lock has been released
2023-03-08 06:25:16,861 DEBUG    moulinette.interface __init__ - initializing base actions map parser for cli
2023-03-08 06:25:16,862 DEBUG    moulinette.actionsmap __init__ - loading actions map
2023-03-08 06:25:16,863 DEBUG    moulinette.actionsmap _construct_parser - building parser...
2023-03-08 06:25:16,872 DEBUG    moulinette.actionsmap _construct_parser - building parser took 0.008s
2023-03-08 06:25:16,873 DEBUG    moulinette.core acquire - acquiring lock...
2023-03-08 06:25:16,900 DEBUG    moulinette.core acquire - lock has been acquired
2023-03-08 06:25:16,910 DEBUG    moulinette.actionsmap process - loading python module yunohost.domain took 0.010s
2023-03-08 06:25:16,910 DEBUG    moulinette.actionsmap process - processing action [898087.1]: yunohost.domain.cert.renew with args={'domain_list': [], 'force': False, 'email': True, 'no_checks': False}
2023-03-08 06:25:17,185 DEBUG    yunohost.utils.ldap (unknown function) - initializing ldap interface
2023-03-08 06:25:33,984 ERROR    yunohost.certmanager (unknown function) - [898087.1] There is no diagnosis result for domain www.directory.trade-free.org yet. Please re-run a diagnosis for categories 'DNS records' and 'Web' in the diagnosis section to check if the domain is ready for Let's Encrypt. (Or if you know what you are doing, use '--no-checks' to turn off these checks.)
2023-03-08 06:25:33,984 ERROR    yunohost.certmanager (unknown function) - [898087.1] Sending email with details to root ...

-- Certificate Manager

I did nothing to any of these domains. It is weird because this only happens for subdomains of subdomains like www dot subdomain dot domain. I have lots of domains and all work fine.

Today I cannot access these websites anymore. I cannot manually force the certificate also.

sudo yunohost domain cert install www.directory.trade-free.org --force
[sudo] password for admin: 
Error: There is no diagnosis result for domain www.directory.trade-free.org yet. Please re-run a diagnosis for categories 'DNS records' and 'Web' in the diagnosis section to check if the domain is ready for Let's Encrypt. (Or if you know what you are doing, use '--no-checks' to turn off these checks.)
admin@server:~$

What can I do?

Thank you in advance!

Aleks · March 8, 2023, 3:23pm

You can use --no-checks, but it doesnt really explain why the diagnosis doesn’t properly diagnose those domain …

Does yunohost diagnosis run dnsrecords shows anything suspicious ?

Tio · March 8, 2023, 3:30pm

This is all I get:


=================================
Base system (basesystem)
=================================

[WARNING] There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in https://yunohost.org/security.



=================================
DNS records (dnsrecords)
=================================

[WARNING] Some domains will expire soon!
  - videoneat.com expires in 43 days.



=================================
Applications (apps)
=================================

[WARNING] An issue was found for app Borg Backup
  - This application is currently flagged as broken on YunoHost's application catalog. This may be a temporary issue while the maintainers attempt to fix the issue. In the meantime, upgrading this app is disabled.

[ERROR] An issue was found for app Glitch-Soc
  - This application is currently flagged as broken on YunoHost's application catalog. This may be a temporary issue while the maintainers attempt to fix the issue. In the meantime, upgrading this app is disabled.

[ERROR] An issue was found for app onlyoffice.tromsite.com
  - This application is currently flagged as broken on YunoHost's application catalog. This may be a temporary issue while the maintainers attempt to fix the issue. In the meantime, upgrading this app is disabled.

You can use --no-checks, but it doesnt really explain why the diagnosis doesn’t properly diagnose those domain …

Will that fix the issue and allow the certificate to renew?

Aleks · March 8, 2023, 3:47pm

I mean the output of literally yunohost diagnosis run dnsrecords, not the full diagnosis report …

It won’t fix the root cause of the issue, it will only bypass it

Tio · March 8, 2023, 3:58pm

Sorry that was only

Warning: Found 1 item(s) that could be improved for DNS records. (+ 11 ignored issue(s))
Warning: To see the issues found, you can go to the Diagnosis section of the webadmin, or run 'yunohost diagnosis show --issues --human-readable' from the command-line.

So the websites won’t work anyway then…

Tio · March 8, 2023, 8:53pm

--no-checks makes the website available but with that nasty warning. Not good…I wonder where is the issue? The pattern that I see is that ALL of the subdomain dot subdomain dot domain on my server have this exact same issue. So I suspect it has something to do with that.

I tried to completely remove those subdomains and re-add them. No luck.

Tio · March 8, 2023, 8:59pm

Ignore the last two messages. All works now after I selected “Ignore diagnosis checks” and forced to renew the certificates.

Thanks!

system · April 7, 2023, 9:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.