Cannot renew because of DNS response did not have an acceptable response code

My domain is:

I ran this command: certbot renew --cert-name --dry-run

I get this output: DNS response for did not have an acceptable response code: SERVFAIL checkout Let's Debug

My web server is (include version): nginx 1.24

The operating system my web server runs on is (include version): ubuntu 22.04

I can login to a root shell on my machine: yes

The version of my client is 1.21.0

I'm wondering what this error mean and how I can debug it.
So far, this domain looks fine to me, pointing to a A record without any fancy configuration.

I use the certbot server for additional domains and it works pretty well, I'm assuming this is then related to the domain but I can't see the differences with others.

Thanks in advance

Well, it might have something to do with DNSSEC, but I'm not sure.

While DNSViz doesn't provide any clue (at least, I can't find it), the debugging website does show the same SERVFAIL as reported by LetsDebug:

That said, the verbose logs of Unbound (the DNS resolving library used by Boulder, the ACME server used by Let's Encrypt) are not the easiest to read..


I don't have any insights to add. Just thought posting some of the messages from near the bottom of the unboundtest log would be helpful.

debug: request has exceeded the maximum number of glue fetches 69
debug: return error response SERVFAIL
debug: request has exceeded the maximum number of nxdomain nameserver lookups (5) with 6
debug: parent-side information is already present for the delegation point, no fallback possible
debug: return error response SERVFAIL
info: validator operate: query A IN
debug: validator: nextmodule returned
debug: cannot validate non-answer, rcode SERVFAIL
error: SERVFAIL < A IN>: exceeded the maximum nameserver nxdomains

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.