Cert has Expired, Renewal is Failing

It’s odd, I can resolve that domain. Perhaps GoDaddy is having a regional outage. Though they’re popular enough I’d expect more reports.

Consider spreading the nameservers across multiple DNS providers for increased redundancy.

How do I make this happen?

dnsspy can see the root domain but not the subdomain…
They are both served form the same name servers.
Same sources to same destination.
One gets answers
The other doesn’t…

I’d would not wait - I would put up another name server.
How big can your Internet zone be? 20 lines?

If you don’t operated a DNS server, then you will be at the mercy of Interoperability.
That means you will have to (usually manually) maintain multiple copies of the same zone with different providers.
You can find DNS as low as FREE.
But again that requires for you to manually be the sync.
To get fully synced systems would probably cost way more than it would be worth.
So the key questions are:

  • how big is your Internet zone
  • how often do you make changes

With some “luck” and good choices, you might get DNS providers that offer APIs.
Which could alleviate the manual sync process to some degree.
But that would require programming them…

We’ve now reached the end of my knowledge when it comes to any of this. I’m not sure what my Internet Zone is and at this point I’m afraid to ask.

Your domain name is your Internet zone.
Any of the entries that use that name or end with that name aggregate to the contents of the “zone”.
The www record, MX records, for instance are key entries in the zone.

This may be a long shot, but try:
deleting the sftp A record from your DNS zone (at GoDaddy)
wait a minute
then add it back in as before
Maybe their systems are just out-of-sync with themselves…

not sure that will make any difference:
see: https://letsdebug.net/pioneerdm.com/380
LE can’t see your root domain either.

Ok, internet zone is tiny, but the site and web host are managed by a third party vendor. I had to contact them to get them to create my subdomain.

Is there a way to just have the sftp A record backed up without having to mess with any of the other junk on the host?

There are some minor tricks that can be played, but that may not get you a certificate today.
Your best bet is to add another (unrelated) DNS server into the mix - which should be reachable by LE and the rest of the Internet as well.

If you can get a copy of that zone, I may be able to help you out (temporarily - free of charge, naturally).
Or I could try to stub your zone - which may also work (needs to be tested)

I’m sorry for being pain. Just to recap:

LE can’t validate my cert because it can’t find a name server that points sftp.pioneerdm.com to my local site. Even though top level DNS resolves the IP Address correctly, the Name Server is required for LE to work? Is that correct?

Yes that is the gist of it.
But to be clear - it is not just LE that can’t see your domain (and subdomains)
Some part of the Internet (how much is unclear) can’t resolve your domain names.

So the way around that is to either find out why GoDaddy isn’t responding correctly to LE or to generate a copy of the entire DNS Zone for pioneer.com and put it on another host with a name server that will respond correctly to LE?

Yes.
The Internet DNS system itself is operating correctly.
“.” says go here (list of servers) for “com”
“com” server say go here (list of IPs) for “pioneerdm.com
for unknown reasons, access to those IPs are down.
so they can’t get to your DNS servers, so they can’t know where your sites are.

And how do we know for sure it’s not just LE? Wasn’t there a stink about GoDaddy not letting people put free SSL Certs on site hosted there? Could GD just be refusing traffic from LE?

And there’s nothing that could be misconfigured on my local server/network that could be stopping LE from being able to validate my cert?

Could I be using an old version of LetsEncrypt.exe?

That would be affecting a whole lot of people.
Haven't heard the cries yet - but, who know, you might just be the first one to notice.

No, we validated the problem from other independent sources.

Ok, so backup name servers are the way to go.

Do I have to have access to the original host to set up a backup name server? Is it enough that I have the list of DNR Records from DNS Spy?

You would want to be sure you have ALL the records in that zone.
Understand that all DNS servers are authoritative and their answer is final.
If the entry is only in servers A & B, but the request goes to server C.
Server C will respond with that entry definitely does NOT exist.
So don’t leave anything out.

I’m not positive that this is the problem since I haven’t seen what letsdebug checks in order to display this error. Notably, it seemed to resolve OK on unboundtest.com:

https://unboundtest.com/m/A/sftp.pioneerdm.com/IG2M6YZ2

So I need a full list of DNS Records for my Domain, so that someone doesn’t pull info from a Name Server that doesn’t have the complete info and then can’t reach me.

How can we explain the DNS SPY failures?