Let's Encrypt Certificate won't renew for subdomain - "no diagnosis result"

rob-hills · April 6, 2024, 12:57pm

My YunoHost server

Hardware: VPS bought online (BinaryLane Australia)
YunoHost version: 11.2.10
I have access to my server : Through SSH and through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes (some Python-based sites that don’t use any Yunohost App)

Description of my issue

Thank you to all who have contributed to such an amazing project.

I have a number of subdomains serving different apps. As mentioned above, some serve python-based apps that had to be installed manually as there was no suitable Yunohost App.

I have episodic problems with Let’s Encrypt certificates that won’t renew automatically and I am trying to debug one of these.

When I run Diagnosis from the terminal I get the following:

root@server:/# yunohost diagnosis run
Success! Everything looks OK for Base system! (+ 1 ignored issue(s))
Success! Everything looks OK for Internet connectivity! (+ 1 ignored issue(s))
Success! Everything looks OK for DNS records!
Error: Found 1 significant issue(s) related to Ports exposure!
Success! Everything looks OK for Web!
Success! Everything looks OK for Email!
Error: Failed to get status information via dbus for service mailman3-web, systemctl didn't recognize this service ('NoSuchUnit').
Success! Everything looks OK for Services status check! (+ 1 ignored issue(s))
Success! Everything looks OK for System resources!
Success! Everything looks OK for System configurations! (+ 4 ignored issue(s))
Warning: Found 1 item(s) that could be improved for Applications.
Warning: To see the issues found, you can go to the Diagnosis section of the webadmin, or run 'yunohost diagnosis show --issues --human-readable' from the command-line.

Note, that both the “DNS Records” and “Web” sections report no issues

Just to be sure, I run the “diagnosis show” command:

root@server:/# yunohost diagnosis show
reports: 
...
 2: 
    description: DNS records
    id: dnsrecords
    items: 
    items: 
      0: 
        status: SUCCESS
        summary: DNS records are correctly configured for domain my_domain.com.au (category basic)
      1: 
        status: SUCCESS
        summary: DNS records are correctly configured for domain my_domain.com.au (category mail)
      2: 
        status: SUCCESS
        summary: DNS records are correctly configured for domain my_domain.com.au (category xmpp)
      3: 
        status: SUCCESS
        summary: DNS records are correctly configured for domain my_domain.com.au (category extra)
... 
  4: 
    description: Web
    id: web
    items: 
...
      5: 
        status: SUCCESS
        summary: Domain XXX.YYY.my_domain.com.au is reachable through HTTP from outside the local network.

Now, when I try and renew the domain certificate for one of my problem subdomains:

root@server:/# yunohost domain cert renew XXX.YYY.my_domain.com.au
Error: There is no diagnosis result for domain XXX.YYY.my_domain.com.au yet. Please re-run a diagnosis for categories 'DNS records' and 'Web' in the diagnosis section to check if the domain is ready for Let's Encrypt. (Or if you know what you are doing, use '--no-checks' to turn off these checks.)

In the past, I have done manual “no-checks” renewals and these work OK, but I’d like to try and fix the problem that prevents the automatic renewals.

Why does the “domain cert renew” command report “no diagnosis result” for my domain when the diagnosis appears to have completed without error? Where else can I look to find out what is preventing the certificate renewal?

TIA,

Rob
Waikiki, Western Australia

jarod5001 · April 6, 2024, 9:36pm

Can you tell us about the ignored issues of the diagnosis? Maybe one of them is the culprit especially System configurations and Base system

wbk · April 6, 2024, 9:57pm

Hi Rob,

Besides the ignored issues that Jarod5001 asks about, could you run the renewal via SSH and see if you got the option to upload the log?

I got a similar problem, with the same symptoms anyway, for one out of over a dozen subdomains.

When I run the command yunohost domain cert renew sub.domain.tld, there are some 60 lines of output. The invitation to upload the log is somewhere at line 20, so you’d miss it when only looking at the last couple of lines.

My log is at https://paste.yunohost.org/raw/ewezokavas

At the bottom of that log it reads:


2024-04-06 21:45:39,590: INFO - Verifying ffs.maindomain.tld...
2024-04-06 21:45:39,610: ERROR - Wrote file to /var/www/.well-known/acme-challenge-public/QOe0IZekkbxHjadU8FV-w9aIeDodkGGnsVfP3gzV-NY, but couldn't download http://ffs.maindomain.tld/.well-known/acme-challenge/QOe0IZekkbxHjadU8FV-w9aIeDodkGGnsVfP3gzV-NY: Error:
Url: http://ffs.maindomain.tld/.well-known/acme-challenge/QOe0IZekkbxHjadU8FV-w9aIeDodkGGnsVfP3gzV-NY

The point is, when I manually check that location in my browser, it does exist. Something to note about this specific subdomain is that it previously ran on another system (for a while, the application on this subdomain needed its own system, so it had another IP. If there was a DNS cache out of sync, that could be a reason in this case, but it is almost half a year ago I switched with no cert-related problems in the mean time)

Does your log look similar, or does it seem to be another problem?

rob-hills · April 7, 2024, 1:23pm

Thanks for your reply and log.

I don’t get that detailed output (I am running via SSH). I only get the two lines of output I posted above.

It appears that you are somehow running yours in Debug mode? How do you do that? From the command line you posted, it doesn’t appear to be a command line option.

Cheers,

Rob
Waikiki, Western Australia

rob-hills · April 7, 2024, 1:45pm

OK, examining the yunohost command help, I discovered a global --debug argument and I tried that:

root@server:/# yunohost --debug domain cert renew XXX.YYY.my_domain.com.au
83   DEBUG initializing base actions map parser for cli
84   DEBUG loading actions map
85   DEBUG building parser...
91   DEBUG building parser took 0.006s
91   DEBUG acquiring lock...
100  DEBUG lock has been acquired
213  DEBUG loading python module yunohost.domain took 0.113s
213  DEBUG processing action [1112403.1]: yunohost.domain.cert.renew with args={'domain_list': ['XXX.YYY.my_domain.com.au'], 'force': False, 'email': False, 'no_checks': False}
243  DEBUG initializing ldap interface
249  ERROR There is no diagnosis result for domain XXX.YYY.my_domain.com.au yet. Please re-run a diagnosis for categories 'DNS records' and 'Web' in the diagnosis section to check if the domain is ready for Let's Encrypt. (Or if you know what you are doing, use '--no-checks' to turn off these checks.)
249  DEBUG action [1112403.1] executed in 0.036s
249  DEBUG lock has been released

So that output looked very different from yours and hasn’t helped at all!

Cheers,
Rob
Waikiki, WA

wbk · April 7, 2024, 7:16pm

Hey! I didn’t even know I was running in debug mode!

Even so, these lines in your log

rob-hills:

213  DEBUG processing action [1112403.1]: yunohost.domain.cert.renew with args={'domain_list': ['XXX.YYY.my_domain.com.au'], 'force': False, 'email': False, 'no_checks': False}
....
249 ERROR There is no diagnosis result for domain XXX.YYY.my_domain.com.au yet. Please re-run a diagnosis for categories 'DNS records' and 'Web' in the diagnosis section to check if the domain is ready for Let's Encrypt. (Or if you know what you are doing, use '--no-checks' to turn off these checks.)

Point at the reason that there is not more output.

What is the output with the --no-checks-switch? And what about the ignored issues in diagnosis that jarod5001 asked about?