Auth.acme-dns.io - Temporary failure in name resolution

Today, when I ran the command to get a TLS certificate for my domain, I got the below error.

I ran this command in the server which already has a TLS from Lets Encrypt and got the same error.
sudo certbot renew --dry-run

It produced this output:

manual-auth-hook command "/etc/letsencrypt/acme-dns-auth.py" returned error code 1
Error output from manual-auth-hook command acme-dns-auth.py:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 159, in _new_conn
    conn = connection.create_connection(
  File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 61, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 666, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 377, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1001, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 314, in connect
    conn = self._new_conn()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 171, in _new_conn
    raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f0ff54225b0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 720, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 438, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='auth.acme-dns.io', port=443): Max retries exceeded with url: /update (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f0ff54225b0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/etc/letsencrypt/acme-dns-auth.py", line 154, in <module>
    client.update_txt_record(account, VALIDATION_TOKEN)
  File "/etc/letsencrypt/acme-dns-auth.py", line 63, in update_txt_record
    res = requests.post(self.acmedns_url+"/update",
  File "/usr/lib/python3/dist-packages/requests/api.py", line 116, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 535, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 648, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='auth.acme-dns.io', port=443): Max retries exceeded with url: /update (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f0ff54225b0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))

Is the server auth.acme-dns.io, down?

Is there any other alternative way to get the TLS certificate?

Looks like it to me.

Sure. But we don't know why you're trying to use that particular service, or anything about your setup. Most users don't need to use the DNS challenge, and most users who do wouldn't be using that particular service to help them fulfill it. So it's hard to help without knowing the reason of why you're trying to use them, or what alternatives you're open to.

That is usually a problem in your local DNS not being able to resolve that domain name.

I don't know that script well enough to say exactly what it is connecting to. But, make sure your local system can resolve public DNS names normally. Use tools like dig or nslookup for example

In this particular case, I think it is in fact that auth.acme-dns.io is down.

Though of course it's possible that more than one thing can be broken at once.

...and most users who do have a use for acme-dns should be hosting it locally. The auth.acme-dns.io service was never intended to be used in production; it was only intended to be used for testing or as an example.

Going beyond the above statement, using it in production is a security issue. You're basically trusting a random third party proof-of-concept installation as being part of your security stack. If that system were to be compromised, attackers could issue certificates on your behalf due to the CNAME delegation.

Using it is not against the ISRG/LE Subscriber Agreement, but it is defintiely against common sense best practices.

• The best thing to do is use HTTP domain validation if you can
• If you have to use DNS validation consider if you can switch to a DNS provider that has API automation (Cloudflare, AWS Route 53 etc)
• If you don't control the domain you can CNAME the _acme-challenge record(s) to a TXT record in domain you do control. e.g. _acme-challenge.www.theirdomain.com to _acme-challenge.www.theirdomain.auth.yourdomain.com and update that record instead (the terminology for this varies like CNAME alias or CNAME delegation).
• You can setup and run your own acme-dns instance
• You could use a commercial equivalent service if you trust the provider (hello!). The security risks noted by @jvanasco are also noted in the following docs: Certify DNS | Certify The Web Docs

The likelihood is that @joohoi (hi! let me know if sponsoring will help) will resume that service when he can but there's also nothing wrong with an occasional outage to warn people that they are not supposed to be relying on it for critical sites.