Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for testing.bellboytech.com
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: testing.bellboytech.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for testing.bellboytech.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for testing.bellboytech.com - check that a DNS record exists for this domain
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx-latest
The operating system my web server runs on is: ubuntu20
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for testing.bellboytech.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/testing.bellboytech.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/testing.bellboytech.com/privkey.pem
This certificate expires on 2025-03-10.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
It's quite a clear message to me: the hostname testing.bellboytech.com does not exist in the DNS zone of the nameserver queried.
When you look at testing.bellboytech.com | DNSViz (done about 20 minutes ago), you see that only one out of two nameservers results in an IP address. The other one doesn't know the hostname. However, if we look at the zone now, both nameservers don't know the hostname: testing.bellboytech.com | DNSViz.
Please make sure the DNS zone is configured correctly on both nameservers before attempting getting a cert again using the http-01 challenge.
Also, is there a specific reason you're using both --reinstall and --force-renewal?
There probably is an already valid authorization for that hostname from some previous run on the staging server. If you'd use certbot renew --dry-run, where the --dry-run would disable any already valid authorizations on the staging server, it would fail also.
Thanks a lot Osiris for responding. Totally appreciate that.
Disclaimer: I am a newbie when it comes to letsencrypt
I did add the A record almost 8 hrs before, not sure where it is going wrong. And I can ping the domain from local machine as well as ec2 instance and it works fine. May be DNS propagation is taking time, I am not sure. If you have any ideas here.
So you are suggesting I remove either one. Makes sense. Copy that.
In general you should never be using --force-renewal. It doesn't magically fix problems and often adds new ones by exceeding rate limits. There are some extremely limited scenarios where that flag is appropriate, but in most cases we see it being used by people that are not in one of those situations.
It is also helpful to include the actual command here, not just the parameters that you passed to it. We see certbot used here often enough to know that it has a certonly option, but it is only one of many possible ACME clients.
OK, @Osiris, I feel redacted is a better choice; just like example.com is the proper domain name to use if you redacted the actual domain name. Thanks!
