I followed this tutorial to create local certificates for my home server, but now it failed to renew automatically and I have no clue waht to do. Can anybody assist me in debugging, please? https://notthebe.ee/blog/easy-ssl-in-homelab-dns01/
I’m using duckdns.org, added mydomain.duckdns.org and the local IP of my home server. In Nginx-Proxy-Manager I have created the respective wildcard certificate. The log of my NPM container reports the following:
[3/10/2024] [1:55:50 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates via DuckDNS for Cert #6: *.mydomain.duckdns.org, mydomain.duckdns.org
[3/10/2024] [1:55:50 PM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-6" --disable-hook-validation --no-random-sleep-on-renew
[3/10/2024] [1:55:50 PM] [Global ] › ⬤ debug CMD: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-6" --disable-hook-validation --no-random-sleep-on-renew
[3/10/2024] [1:55:53 PM] [Express ] › ⚠ warning Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Failed to renew certificate npm-6 with error: The DNS response does not contain an answer to the question: mydomain.duckdns.org. IN TXT
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-6/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
I had issues with DNS checks and traced it to my pihole. I changed that container’s resolv.conf to use cloudflare DNS and it has been working fine since. It was with Caddy so needed to change over to use IPs.
Have you looked at the debug log? Or even what you pasted? It tells you what it’s missing (though this part doesn’t go into the whys).
Of course, but I don’t know what it means or what to do with it otherwise I obviously wouldn’t have create this post!?
Does the debug log not have more info?
Here’s the full log from /tmp/letsencrypt-log/letsencrypt.log. https://notebin.de/?4859b67f1b29f0e2#8G6vSon5PUGUHoZvMYD3zKwx8hkJeCV9xQM4TWFSvudM
Did you replace your domain with mydomain.duckdns.org in the logs, or did you just not configure the client with your domain? I’m not sure how it would have ever worked if that was the case, though. Either way, it tells you the DNS challenge record is missing.
I replaced my actual domain with “mydomain”.