Cannot Renew or create new certs

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

sudo certbot certonly   --dns-digitalocean --dns-digitalocean-propagation-seconds 30  --dns-digitalocean-credentials /home/pi/certbot.ini   -d ''

It produced this output:

Certbot failed to authenticate some domains (authenticator: dns-digitalocean). The Certificate Authority reported these problems:
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up TXT for - the domain's nameservers may be malfunctioning

My web server is (include version): Nginx

The operating system my web server runs on is (include version): raspbian

My hosting provider, if applicable, is: self hosted, DNS and Name Servers Via Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Digital Ocean

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.22.0

I'm using the digital ocean certbot pluigin, originally i tried to renw and it failed the same way. I can log into digital ocean and see the TXT record get created. I used this method previously and it seems to have just broken?
When i log verbose, it gets an HTTP 200 from digital ocean. But it seems to be failing in trying to read the txt record. Any ideas?


Looks like something is wrong with your DNS records. Let's Encrypt uses a method like unbound for lookups. You can see any TXT lookup fails for your domain:

This site is often helpful for DNS problems - note the Bogus entries especially

I do not know enough about DNS to guide you to a repair. Other volunteers might help or consult your DNS provider.


It looks like DNSSEC is just broken, and any dns server that validates DNSSEC can't resolve the domain.


can i just nuke what exists and start fresh? How do i do that?

If you want anybody that uses a DNSSEC-validating DNS server (which I would hope would be most of them at this point) to access your domain at all, you need to fix your DNSSEC configuration. If that's through Digital Ocean, then I'd suggest looking there and working with their support if needed. This really isn't related to Let's Encrypt, you just need a working domain first before you can get a certificate for it.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.