Can no longer renew certs

Help
1

This command always worked for me before but now doesnt:

 sudo certbot renew -v

I get:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: www.purestyle.se
  Type:   dns
  Detail: During secondary validation: While processing CAA for www.purestyle.se: DNS problem: query timed out looking up CAA for www.purestyle.se

or

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: www.purestyle.se
  Type:   dns
  Detail: DNS problem: query timed out looking up A for www.purestyle.se; DNS problem: NXDOMAIN looking up AAAA for www.purestyle.se - check that a DNS record exists for this domain

I don't think I ever had a CAA, A, or AAAA dns post. I use CNAME to redirect to a dynamic DNS service.

raspberry pi (raspbian), 6.6.74+rpt-rpi-v8
certbot 2.1.0

Any ideas what has started happening?

I can access the machine fine, but I suppose the verifying servers cannot for some reason.

1 Like
2

Yeah and that DDNS service is failing miserably. See e.g.

There are some warnings, but probably more importantly, the errors about some non-responsive nameservers. It took a very long time to resolve down into that tplinkdns.com zone.

Probably not something you can fix yourself except by changing DDNS service.

2 Likes
3

Note that www.purestyle.se is a CNAME to purestyle.tplinkdns.com thus the CAA record will be handled via purestyle.tplinkdns.com name servers.

While purestyle.se is an A to 83.254.17.42 thus the CAA record will be handled via purestyle.se name servers.

And here is what I see for DNS

image
image976×653 47.3 KB

2 Likes
4

Do you imply that letsencrypt is in error here?

5

No, how well responding are the Name Servers for

:red_question_mark:

6

Observe https://unboundtest.com/ responses

purestyle.se - https://unboundtest.com/m/CAA/purestyle.se/R3IGHKOQ

Query results for CAA purestyle.se

Response:
;; opcode: QUERY, status: NOERROR, id: 61584
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;purestyle.se.	IN	 CAA

;; AUTHORITY SECTION:
purestyle.se.	0	IN	SOA	ns1.namesystem.se. registry.glesys.se. 13 10800 2700 1814400 10800

----- Unbound logs -----

www.purestyle.se - https://unboundtest.com/m/CAA/www.purestyle.se/XPKBELH6

Query results for CAA www.purestyle.se
----- Unbound logs -----

purestyle.tplinkdns.com - https://unboundtest.com/m/CAA/purestyle.tplinkdns.com/ZANBDL7C

Query results for CAA purestyle.tplinkdns.com
----- Unbound logs -----

See how the response for purestyle.se is nice, but www.purestyle.se and purestyle.tplinkdns.com are abrupt and not nice.

Thus the Authoritative Name Servers for purestyle.tplinkdns.com are were the "error" is,
and not an error on Let’s Encrypt part.