Bogus multiple IPs associated with a domain

My domain is:

I ran this command:

certbot renew

It produced this output:

Domain: savcom.com.au
Type: unauthorized
Detail: 5.22.145.155: Invalid response from
http://savcom.com.au/.well-known/acme-challenge/zR0qgbQmSaiyvkNEuchtFqVjQAmmevPwEazM_XjKCcg:
403

My web server is (include version):

nginx-1.12.2-3.el7.x86_64

The operating system my web server runs on is (include version):

CentOS Linux release 7.7.1908 (Core)

My hosting provider, if applicable, is:

NA - internal reverse-proxy server

I can login to a root shell on my machine (yes or no, or I don't know):

Yes - I am the guy who installed and setup this server for the customer - I bleed Linux

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No - direct ssh access to server Linux command line

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.37.2

Issue:

A while back this domain name was transferred to the current registrar (who offer no support to date) by the former registrar.

When trying to resolve the domain name with any commands, such as 'host', it returns the following:

savcom.com.au has address 5.22.145.155
savcom.com.au has address 5.22.145.180
savcom.com.au has address 203.196.32.216

and the real IP for this domain is: 203.196.32.216

Neither of the two 5.22.145.x addresses that seem to have been inherited since this 'transfer' have anything to do with the domain and are essentially dead-ends. They appear to point to somewhere in Germany.
Neither of these IP addresses or their DNS names exist in the customer's DNS Zone records, so is very suspect and concerning.

The issue persists with the error:

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

Domain: savcom.com.au
Type: unauthorized
Detail: During secondary validation: 5.22.145.180: Invalid response
from
http://savcom.com.au/.well-known/acme-challenge/fOVw0-SlxHqIbC1LOPyTfP8bHNbtykJCzCgx8agGl7M:
403

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

I have tried adding the 203.196.32.216 address to /etc/hosts and also setting 127.0.0.1 for nameserver /etc/resolv.conf entries.
The dry-run option works successfully every time but the live one fails constantly and I do not wish to exhaust attempts for the domain renewal.

My question is, which I know letsencrypt does not use IP address based certifcates based on the CA architecture (all good), is there a way to tell letsencrypt to only use the specific IP for the domain name so the acme test lands on the actual server for savcom.com.au (203.196.32.216).

I have tried elevating this to the registrar support who have provided nothing but ghosting since this 'transfer' so am seeking to move this domain to a valid registrar here in our own country as this whole mess has resulted in other issues where I have had to involve the AUDA for my other customer domains and this registrar (and I got the hell out of this registrar myself owing to the 'silence' from their support).

Just a distress flare being fired up to see if letsencrypty can get around the DNS issue but not hoping too much as I know this is not an actual letsencrypt issue.

A quick update - As the local Linux server is using their MikroTik router as the DNS resolver, I have added a static DNS name to the MikroTik with the IP address, but this still fails, so letsencrypt are using something else for DNS resolution perhaps.

Still calling for any suggestions from you all - with many thanks in advance for any assistance (or confirmation nothing will help via letsencrypt) you can provide.

Let's Encrypt ACME Servers use the IP in the public DNS from the authoritive DNS servers. And those 3 IP are there

Your DNS servers look like ns1.partnerconsole.net and related

See https://unboundtest.com for a query test

Three A records do exist.

dig ns savcom.com.au

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> ns savcom.com.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58958
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;savcom.com.au.                 IN      NS

;; ANSWER SECTION:
savcom.com.au.          3600    IN      NS      ns2.partnerconsole.net.
savcom.com.au.          3600    IN      NS      ns1.partnerconsole.net.
savcom.com.au.          3600    IN      NS      ns3.partnerconsole.net.

;; Query time: 67 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Apr 19 17:28:18 PDT 2024
;; MSG SIZE  rcvd: 114

rip:T430 ~ >>  dig mx savcom.com.au

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> mx savcom.com.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 883
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;savcom.com.au.                 IN      MX

;; ANSWER SECTION:
savcom.com.au.          3363    IN      MX      1 mail.savcom.com.au.

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Apr 19 17:28:30 PDT 2024
;; MSG SIZE  rcvd: 63

Maybe @rg305 can help sort this out.

Thanks MikeMcQ, yes they come back with 3 IPs when enquiring, but only one listed for the domain and DNS A/CNAME entries. The registrar never responds and these DNS servers associated are part of the registrars pointers for the domain.
They have another completely different domain that has exactly the same setup in Zone and DNS servers and it only resolves to the 203 address.... something fishy going on for sure.

Thanks Rip - yes the dig, host and all other enquiries match what you have found and the partnerconsole.net hosts are part of all the customers other domains held with this registrar, but the savcom.com.au domain is the only one with these two extra IPs that have nothing to do with the setup or Zone records.

From which system?
Using which DNS servers?

I don't see a DNS issue.

I see a potential geolocation preferential treatment:
[where some countries/networks are allowed to reach the site and some are not]

I also see a very old version of certbot:

With multiple IP addresses in the DNS a Let's Encrypt Server might choose any one of them. So primary may have gotten lucky and gotten the right one and a secondary server gotten a "wrong" one. They admit the DNS has 3 IP but don't know how to fix it. Their control panel only shows one IP apparently.

Agree regarding Certbot version being ancient but not affecting this anyway.

OK, I must have been typing something worng...`

dig a savcom.com.au @ns1.partnerconsole.net.

Returns:

savcom.com.au. 3600 IN A 203.196.32.216
savcom.com.au. 3600 IN A 5.22.145.180
savcom.com.au. 3600 IN A 5.22.145.155

The problem is within the DNS zone.

But his registrar won't communicate!

The registrar doesn't control DNS.
The registrar only points the domain to specific authoritative DNS names [and handles DNSSEC].
The DSP control DNS entries.

[some "all-purpose sites" are both registrar and DSP]

I understood that !! ;@) but how to account for the IP addresses?
PARTNERCONSOLE.NET ?

Wherever the DNS console/control is at.
Yes, I'd start with: "partnerconsole.net"

SImple.
There are three IPs in the zone.
Two need to be deleted.
LOL

This indeed is not really a Let's Encrypt/ACME problem, but an issue with the authorative nameservers at "partnerconsole", whatever that company might be (I would NOT enter my password at https://www.partnerconsole.net/ to be honest, while looks often don't say anything, it looks shady as )#($*...). Looking at https://support.tppwholesale.com.au/hc/en-gb/articles/360009201278-Modifying-Your-Domain-s-Nameservers it seems to be part of TPP Wholesale.

I would suggest moving your domain DNS hosting to Cloudflare (free), you can even transfer the domain registrar role to them if you want.

That won't be an option in this case. Cloudflare does not support registration of any au. domains.

Their suitability as a registrar is highly dependent on expectations. If one is okay with an at-cost registrar that requires the use of Cloudflare nameservers and the level of support commensurate with that price point, it can work.

I recommend against using their registrar for important domains. Their registrar introduces more risk than I am willing to tolerate. They are best suited for low value hobby domains or large portfolios managed by enterprise customers with SLAs built into their custom agreement.

Happy Cake Day @linkp

Thanks. I hadn't noticed that yet today.

Thanks everyone. This remains a DNS registrar issue and being completely ghosted by this 'registrar' in regards to support tickets for a couple of years now - the only solution is to get the domain password and transfer away from it.

I was hoping there was a kind of certbot work-around to make the initial re-cert valid, but to no avail based on what I have read and you have all confirmed. Fully understand.

Never seen this multiple IPs for a domain name in my life, specifically something not showing the IPs/node names in DNS Zone records that is.

Please mark this as closed/resolved with the resolution being get away from this registrar with this domain.

Thanks again for your time and replies.

I highly support and recommend doing that!