Latest issue with LetsEncrypt

Turbond · June 14, 2025, 10:10pm

NethServer Version: ns8
Module: mail/letsencrypt
Hi, I have an issue with the renewal of the mail domain on ns8. It expired this morning and wouldn’t renew. I tried deleting it to get a new certificate (production system for work and about 22 users), but now I get

2025-06-15T09:11:57+12:00 [1:traefik1:traefik] 2025-06-14T21:11:57Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [autoconfig.xxx.info]: error: one or more domains had a problem:\n[autoconfig.xxx.info] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for autoconfig.xx.info - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for autoconfig.xx.info - check that a DNS record exists for this domain\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["autoconfig.xx.info"] providerName=acmeServer.acme routerName=webtop1-autoconfig-https@file rule=Host(`autoconfig.xxx.info`)
2025-06-15T09:32:58+12:00 [1:traefik1:traefik] 2025-06-14T21:32:58Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [autoconfig.xx.info]: error: one or more domains had a problem:\n[autoconfig.xx.info] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for autoconfig.xxx.info - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for autoconfig.xx.info - check that a DNS record exists for this domain\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["autoconfig.xx.info"] providerName=acmeServer.acme routerName=webtop1-autoconfig-https@file rule=Host(`autoconfig.xxx.info`)
2025-06-15T09:33:22+12:00 [1:traefik1:traefik] 2025-06-14T21:33:22Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [autoconfig.xxx.info]: error: one or more domains had a problem:\n[autoconfig.xxx.info] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for autoconfig.xxx.info - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for autoconfig.xxx.info - check that a DNS record exists for this domain\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["autoconfig.xxx.info"] providerName=acmeServer.acme routerName=webtop1-autoconfig-https@file rule=Host(`autoconfig.xxx.info`)
2025-06-15T09:33:24+12:00 [1:traefik1:traefik] 2025-06-14T21:33:24Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [autoconfig.xxx.info]: error: one or more domains had a problem:\n[autoconfig.xxx.info] invalid authorization: acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for autoconfig.xxx.info - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for autoconfig.xxx.info - check that a DNS record exists for this domain\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["autoconfig.xxx.info"] providerName=acmeServer.acme routerName=webtop1-autoconfig-https@file rule=Host(`autoconfig.xxx.info`)
2025-06-15T09:33:35+12:00 [1:traefik1:traefik] 2025-06-14T21:33:35Z ERR Unable to obtain ACME certificate for domains error="unable to generate

etc. I don’t have an autoconfig specified in my subdomains and never had. Is this a cryptic rate limit error from lets encrypt, or an improvement with the latest updates.

How can I resolve manually so production server doesn’t cause expired certificate errors.

Thanks

Turbond

Turbond · June 14, 2025, 10:14pm

Found it… Webtop has added a new few sub-domains… so I wish it had told me this when it did it’s update. Which explains the error above.

What threw me was the GUI saying everything was fine… certificate obtained with the big green circle and white tick. Obviously this should have shown not obtained and then I would have located the error faster, as it was confusing having mail report outdated certificate, but the GUI saying all was fine. Can this please be looked into, or better yet a small GUI enhancement that allows viewing of the obtained certificates.

danb35 · June 14, 2025, 10:34pm

Interesting–other than autoconfig., do you know what they are? I haven’t seen errors on my system yet, but it’d be good to get ahead of it.

Turbond · June 14, 2025, 11:03pm

autodiscover. domain
autoconfig. domain

Just a heads up. I am now getting timeouts.
So that is letsencrypt not happy with the retries. Looks like I’ll be busy telling people to ignore certificates error until further notice.

What I’d really like is a way to request individual certificate on all the https routes, and on the TLS Certificate GUI page have these listed with a renew button (force renew) in case the system breaks again. If anyone can point me to the github I’ll have a go at fixing/breaking it, to get these features.

Please note:

Last login: Sun Jun 15 12:24:00 2025 from 192.168.3.8 [root@kea ~]# api-cli run module/traefik1/delete-certificate --data '{"fqdn":"mail.deleted_domain.co.nz","type":"internal"}' Warning: using user "cluster" credentials from the environment <3>Timeout after about 30 seconds. Certificate not obtained for ['mail.current_doamin.info', 'kea.current_domain.info', 'mail.other_current_domain.co.nz']. <3> false

This is the issue.