Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems

Requesting a certificate for pantook.com and www.pantook.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: www.pantook.com
Type: dns
Detail: During secondary validation: no valid A records found for www.pantook.com; no valid AAAA records found for www.pantook.com

This is strange. You should check your nameservers.

❯ dig ns pantook.com

; <<>> DiG 9.16.41 <<>> ns pantook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22680
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pantook.com.                   IN      NS

;; Query time: 453 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Sep 23 06:42:12 CEST 2023
;; MSG SIZE  rcvd: 40
4 Likes

Hi @jakkapet2k, and welcome to the LE community forum :slight_smile:

That is not a globally recognized authoritative server for your domain [nor for any domain].

3 Likes

That looks like a stub resolver.

4 Likes

These are the authoritative DNS servers for your domain:

pantook.com nameserver = ns-a1.cloud.z.com
pantook.com nameserver = ns-a3.cloud.z.com
pantook.com nameserver = ns-a4.cloud.z.com
5 Likes

They don't agree on who are the authoritative name servers:

nslookup -q=ns pantook.com ns-a1.cloud.z.com
*** No name server (NS) records available for pantook.com
nslookup -q=ns pantook.com ns-a3.cloud.z.com
pantook.com nameserver = ns-a1.cloud.z.com
pantook.com nameserver = ns-a3.cloud.z.com
pantook.com nameserver = ns-a4.cloud.z.com
nslookup -q=ns pantook.com ns-a4.cloud.z.com
pantook.com nameserver = ns-a1.cloud.z.com
pantook.com nameserver = ns-a3.cloud.z.com
pantook.com nameserver = ns-a4.cloud.z.com
6 Likes

ACTIVE:
ns-a1.cloud.z.com - NOT in sync
ns-a3.cloud.z.com - synced
ns-a4.cloud.z.com - synced

INACTIVE:
ns-a2.cloud.z.com - synced
ns-a5.cloud.z.com - synced
ns-a6.cloud.z.com - synced

5 Likes

Also, each hostname isn't in sync with itself. :smiley:

❯ dig a www.pantook.com @ns-a1.cloud.z.com. -4

; <<>> DiG 9.16.41 <<>> a www.pantook.com @ns-a1.cloud.z.com. -4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64978
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;www.pantook.com.               IN      A

;; ANSWER SECTION:
www.pantook.com.        3600    IN      A       45.144.164.74

;; Query time: 436 msec
;; SERVER: 150.95.19.148#53(150.95.19.148)
;; WHEN: Sat Sep 23 07:07:53 CEST 2023
;; MSG SIZE  rcvd: 60


~
❯ dig a www.pantook.com @ns-a1.cloud.z.com. -6

; <<>> DiG 9.16.41 <<>> a www.pantook.com @ns-a1.cloud.z.com. -6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6195
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;www.pantook.com.               IN      A

;; Query time: 273 msec
;; SERVER: 2404:f080:1101:310::53#53(2404:f080:1101:310::53)
;; WHEN: Sat Sep 23 07:07:58 CEST 2023
;; MSG SIZE  rcvd: 44


~
❯
6 Likes

Thanks everyone, now I have solved the problem.

3 Likes

It would be nice to close the topic with an explanation of the solution.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.