I saw some posts on here about duplicate hostnames, but the things I've tried to do to prevent it, hasn't worked. This automated cert renewal has been working fine, and now if doesn't OS and certbot version haven't changed. Thanks for any help.
Domain: ply-freeipa-02.ipa.prd.localnet.ioipa.prd.localnet.io
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ply-freeipa-02.ipa.prd.localnet.ioipa.prd.localnet.io - check that a DNS record exists for this domain
Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
My web server is (include version): NA
The operating system my web server runs on is (include version): NA
My hosting provider, if applicable, is: local FreeIPA
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NA
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0
$ nslookup
> ply-freeipa-02.ipa.prd.localnet.io
;; Got SERVFAIL reply from 75.75.75.75, trying next server
Server: 74.82.42.42
Address: 74.82.42.42#53
** server can't find ply-freeipa-02.ipa.prd.localnet.io: NXDOMAIN
> set q=soa
> ply-freeipa-02.ipa.prd.localnet.io
;; Got SERVFAIL reply from 127.0.0.1, trying next server
;; Got SERVFAIL reply from 75.75.75.75, trying next server
Server: 74.82.42.42
Address: 74.82.42.42#53
** server can't find ply-freeipa-02.ipa.prd.localnet.io: NXDOMAIN
> ipa.prd.localnet.io
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find ipa.prd.localnet.io: NXDOMAIN
> prd.localnet.io
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find prd.localnet.io: NXDOMAIN
> localnet.io
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
localnet.io
origin = ns1.voyant.com
mail addr = hostmaster.voyant.com
serial = 2022071100
refresh = 28800
retry = 7200
expire = 604800
minimum = 86400
Authoritative answers can be found from:
> server ns1.voyant.com
Default server: ns1.voyant.com
Address: 137.192.240.3#53
> localnet.io
Server: ns1.voyant.com
Address: 137.192.240.3#53
localnet.io
origin = ns1.voyant.com
mail addr = hostmaster.voyant.com
serial = 2022071100
refresh = 28800
retry = 7200
expire = 604800
minimum = 86400
> prd.localnet.io
Server: ns1.voyant.com
Address: 137.192.240.3#53
*** Can't find prd.localnet.io: No answer
> ipa.prd.localnet.io
Server: ns1.voyant.com
Address: 137.192.240.3#53
Non-authoritative answer:
*** Can't find ipa.prd.localnet.io: No answer
Authoritative answers can be found from:
ipa.prd.localnet.io nameserver = ply-freeipa-dns01.ipa.prd.localnet.io.
ipa.prd.localnet.io nameserver = ply-freeipa-dns02.ipa.prd.localnet.io.
ply-freeipa-dns02.ipa.prd.localnet.io internet address = 137.192.1.143
ply-freeipa-dns01.ipa.prd.localnet.io internet address = 137.192.1.142
> server ply-freeipa-dns01.ipa.prd.localnet.io
couldn't get address for 'ply-freeipa-dns01.ipa.prd.localnet.io': not found
> ipa.prd.localnet.io
Server: ns1.voyant.com
Address: 137.192.240.3#53
Non-authoritative answer:
*** Can't find ipa.prd.localnet.io: No answer
Authoritative answers can be found from:
ipa.prd.localnet.io nameserver = ply-freeipa-dns01.ipa.prd.localnet.io.
ipa.prd.localnet.io nameserver = ply-freeipa-dns02.ipa.prd.localnet.io.
ply-freeipa-dns02.ipa.prd.localnet.io internet address = 137.192.1.143
ply-freeipa-dns01.ipa.prd.localnet.io internet address = 137.192.1.142
>
> server ply-freeipa-dns01.ipa.prd.localnet.io
couldn't get address for 'ply-freeipa-dns01.ipa.prd.localnet.io': not found
> server ply-freeipa-dns02.ipa.prd.localnet.io
couldn't get address for 'ply-freeipa-dns02.ipa.prd.localnet.io': not found
>
Since these are Domain Validation (DV) certificates the Domain Name System (DNS) is used extensively in the validation process as well a allowing us to assist here on Let's Encrypt community.
DNS Queries need to give consistent results from any location on the Internet, all your authoritative DNS Servers for the Domain need to also give consistent results as well.
Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).