Cannot Renew or create new certs

Tomservo · December 15, 2021, 11:24pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tomservo.dev

I ran this command:

sudo certbot certonly   --dns-digitalocean --dns-digitalocean-propagation-seconds 30  --dns-digitalocean-credentials /home/pi/certbot.ini   -d 'tomservo.dev'

It produced this output:

Certbot failed to authenticate some domains (authenticator: dns-digitalocean). The Certificate Authority reported these problems:
 Domain: tomservo.dev
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.tomservo.dev - the domain's nameservers may be malfunctioning

My web server is (include version): Nginx

The operating system my web server runs on is (include version): raspbian

My hosting provider, if applicable, is: self hosted, DNS and Name Servers Via Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Digital Ocean

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.22.0

I'm using the digital ocean certbot pluigin, originally i tried to renw and it failed the same way. I can log into digital ocean and see the TXT record get created. I used this method previously and it seems to have just broken?
When i log verbose, it gets an HTTP 200 from digital ocean. But it seems to be failing in trying to read the txt record. Any ideas?

MikeMcQ · December 16, 2021, 1:19am

Looks like something is wrong with your DNS records. Let's Encrypt uses a method like unbound for lookups. You can see any TXT lookup fails for your domain:
https://unboundtest.com/m/TXT/_acme-challenge.tomservo.dev/I63PPN2F

This site is often helpful for DNS problems - note the Bogus entries especially
https://dnsviz.net/d/tomservo.dev/dnssec/

I do not know enough about DNS to guide you to a repair. Other volunteers might help or consult your DNS provider.

petercooperjr · December 16, 2021, 1:22am

It looks like DNSSEC is just broken, and any dns server that validates DNSSEC can't resolve the domain.

Tomservo · December 16, 2021, 3:54pm

can i just nuke what exists and start fresh? How do i do that?

petercooperjr · December 16, 2021, 4:06pm

If you want anybody that uses a DNSSEC-validating DNS server (which I would hope would be most of them at this point) to access your domain at all, you need to fix your DNSSEC configuration. If that's through Digital Ocean, then I'd suggest looking there and working with their support if needed. This really isn't related to Let's Encrypt, you just need a working domain first before you can get a certificate for it.

system · January 15, 2022, 4:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Creating certificates with --nginx works. Renew or certonly doesn't Help	82	8257	March 18, 2019
Trying to renew certificate, Cerbot Expired Please Help Help	8	1458	July 30, 2019
Certificate renew Help	6	516	May 12, 2023
Certificate Renewal Failed Help	23	1624	October 23, 2021
Certbot does not allow new certificates anymore, although I do not own any yet Help	3	556	February 17, 2021

Cannot Renew or create new certs

Related topics