When validation fails, certbot gives users the following error:
As we’ve seen here over and over and over again, this often sends folks on a wild goose chase to fix their DNS records, when it turns out there was nothing wrong with them to begin with. DNS issues aren’t the only common issue, and my observation suggests they aren’t even the most common issue (I suspect the most common issue is an incorrect webroot path). It’d be good to improve this. I’d suggest either
- (easy, but less useful) “The most common causes of failure are missing or incorrect DNS records, an incorrect webroot path, and a firewall preventing the Let’s Encrypt validation servers from accessing this server”, followed by a short bullet list of things to check for each. This might at least avoid the (incorrect) laser focus on the DNS records.
- (more useful, but no doubt considerably more work) actually testing common failure points. Certbot can tell, in most common configurations, if the DNS records are adequate. It can tell, assuming the webserver is listening on localhost, what’s being served for the challenge. Firewall may be harder, but would still be beneficial to check if possible.