Certbot certonly failure. Just started

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:www.dotndebhome.duckdns.org

I ran this command:
certbot certonly --non-interactive --renew-by-default --server https://acme-v02.api.letsencrypt.org/directory -a dns-duckdns --dns-duckdns-credentials /config/dns-conf/duckdns.ini --dns-duckdns-propagation-seconds 300 --rsa-key-size 4096 -m dotman@comcast.net --no-eff-email --agree-tos -d www.dotndebhome.duckdns.org
It produced this output:
Waiting for verification...
Challenge failed for domain www.dotndebhome.duckdns.org
dns-01 challenge for www.dotndebhome.duckdns.org

Certbot failed to authenticate some domains (authenticator: dns-duckdns). The Certificate Authority reported these problems:
Domain: www.dotndebhome.duckdns.org
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.www.dotndebhome.duckdns.org - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-duckdns. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-duckdns-propagation-seconds (currently 300 seconds).

Cleaning up challenges
Some challenges have failed.

Logfile information.
Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-duckdns. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-duckdns-propagation-seconds (currently 300 seconds).

2024-09-08 18:35:36,828:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/lsiopy/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/lsiopy/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-09-08 18:35:36,828:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-09-08 18:35:36,828:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-09-08 18:35:37,322:DEBUG:charset_normalizer:Encoding detection: ascii is most likely the one.
2024-09-08 18:35:37,324:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/lsiopy/bin/certbot", line 8, in
sys.exit(main())
^^^^^^
File "/lsiopy/lib/python3.11/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/lsiopy/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/lsiopy/lib/python3.11/site-packages/certbot/_internal/main.py", line 1600, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/lsiopy/lib/python3.11/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/lsiopy/lib/python3.11/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/lsiopy/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/lsiopy/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/lsiopy/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/lsiopy/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-09-08 18:35:37,326:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version):ngixn

The operating system my web server runs on is (include version):
nginx version: nginx/1.24.0
My hosting provider, if applicable, is:
Home Machine
I can login to a root shell on my machine (yes or no, or I don't know):
yes (docker container linuxserver/swag)
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.10.0

You're not the first one having trouble with DuckDNS, see also Propogation time limit exceeded. Seems like the nameservers from DuckDNS are often not responding or just way too slow. There's nothing Let's Encrypt can do about malfunctioning third party DNS servers I'm afraid.

Is there a specific reason why you're using the --dns-01 challenge by the way?

Also:

Please don't use this option. Also, please don't use options you don't understand to begin with.

2 Likes

If you truly need an RSA cert...

That requires an additional parameter:

--key-type {rsa,ecdsa}

[in this case: --key-type rsa]
For more complete documentation, see: User Guide — Certbot 2.12.0.dev0 documentation

As we can see below, the recently issued cert is 256 bit type ECDSA:
image
crt.sh | 14478464354

3 Likes

Apologies. Grabbed something off a blog post.
I tried this one and it seemed to work or at least I seemed to get a set of pems.

certbot --server https://acme-v02.api.letsencrypt.org/directory -a dns-duckdns --dns-duckdns-credentials /config/dns-conf/duckdns.ini --dns-duckdns-propagation-seconds 120 -m dotman@comcast.net --no-eff-
email --agree-tos -d www.dotndebhome.duckdns.org

Getting Same error as before pretty much.
I don't know where the DNS challenge stuff is coming from so I will have to research that.
This was working fine until I rebooted the main machine and the docker container restarted.
Had the same working setup for almost a year I think.

I tried this one and it seemed to work or at least I seemed to get a set of pems.

certbot --server https://acme-v02.api.letsencrypt.org/directory -a dns-duckdns --dns-duckdns-credentials /config/dns-conf/duckdns.ini --dns-duckdns-propagation-seconds 120 -m dotman@comcast.net --no-eff-
email --agree-tos -d www.dotndebhome.duckdns.org

Getting Same error as before pretty much.
I don't know where the DNS challenge stuff is coming from so I will have to research that.
This was working fine until I rebooted the main machine and the docker container restarted.
Had the same working setup for almost a year I think.

As long as DuckDNS doesn't have their s**t together, there's not much you can do. This is what I get when I simply try to resolve your hostname:

couldn't get address for 'ns7.duckdns.org': not found
couldn't get address for 'ns2.duckdns.org': not found
couldn't get address for 'ns3.duckdns.org': failure
couldn't get address for 'ns4.duckdns.org': failure
couldn't get address for 'ns9.duckdns.org': failure
couldn't get address for 'ns1.duckdns.org': failure
couldn't get address for 'ns8.duckdns.org': failure
couldn't get address for 'ns5.duckdns.org': failure
couldn't get address for 'ns6.duckdns.org': failure
dig: couldn't get address for 'ns7.duckdns.org': no more

And then fails..

2 Likes