6/9/2022, 4:14:22 PM
I came across a scenario where I had a certificate (example.org, below) that supported multiple domains, but one domain's (broken.example.org, below) the A record no longer existed, causing certbot to abort renewals with an error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for broken.example.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (example.org) from /etc/letsencrypt/renewal/example.org.conf produced an unexpected error: Failed authorization procedure. bbs.medborgerligsamling.s
e (http-01): urn:ietf:params:acme:error:dns :: no valid A records found for broken.example.org; no valid AAAA records found for broken.example.org. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: broken.example.org
Type: None
Detail: no valid A records found for broken.example.org; no
valid AAAA records found for broken.example.org
You could generate a new certificate with the remaining domains, or—as I've discovered—you can use --allow-subset-of-names.
When certbot renew --allow-subset-of-names is called, any domains that fail to supply a proper verification to the certbot challenge will simply be excluded from the new certificate.