Certbot informs me that I may have problems with my DNS configuration

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: grupodel.com

I ran this command: sudo certbot renew --dry-run -vv

It produced this output: It is very long, the error and hint were:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: grupodel.com
Type: dns
Detail: During secondary validation: DNS problem: SERVFAIL looking up CAA for grupodel.com - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version): httpd (Apache)

The operating system my web server runs on is (include version): Amazon Linux

My hosting provider, if applicable, is: AWS Amazon Linux Free Tier instance

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Not other than EC2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

Hi @megatronchote
Welcome to the community...
I just checked your site out the best I could.
You have the correct ports open, and I can access your site via http and https.
Lets debug showed similar errors to the one you posted the first time I ran a test against your DNS challenge, but the second time it worked perfectly.

My suggestion is to give it another try and let us know what happens.
Sounds silly, but you might be surprised at the result.

2 Likes

Thank you for taking the time to help me! I've tried it again and got similar results, here's some of the output, the part in red:

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/grupodel.com/fullchain.pem (failure)

I can post the full output if you like, or use only one verbose level, or none if you prefer

2 Likes

Posting more of the log would be helpful.
[particularly any lines that contain "error"]

2 Likes

Check your DNS servers:

grupodel.com    nameserver = ns-550.awsdns-04.net
grupodel.com    nameserver = ns-1987.awsdns-56.co.uk
grupodel.com    nameserver = ns-430.awsdns-53.com
grupodel.com    nameserver = ns-1052.awsdns-03.org

The first one on that list knows nothing about your domain:

nslookup -q=ns grupodel.com ns-550.awsdns-04.net
*** UnKnown can't find grupodel.com: Query refused
5 Likes

Wow the first one doesn't but the others do ? I tried dig but it seemed to work.
Here's the final part of the log:

HTTP 200
Server: nginx
Date: Fri, 20 Sep 2024 20:02:56 GMT
Content-Type: application/json
Content-Length: 1013
Connection: keep-alive
Boulder-Requester: 163930433
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 6wrlOJ0T7EFDOlVODLIGhJc5LYMjFCTxTE3Lt2Mmw1ASA1s6QaE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "grupodel.com"
},
"status": "invalid",
"expires": "2024-09-27T20:02:55Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14088380113/gNT_RA",
"status": "invalid",
"validated": "2024-09-20T20:02:55Z",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "During secondary validation: DNS problem: SERVFAIL looking up CAA for grupodel.com - the domain's nameservers may be malfunctioning",
"status": 400
},
"token": "IzGRM20WaShHgCbOSiajkS_EOu0S8VXEbYT0ZwK5dug",
"validationRecord": [
{
"url": "http://grupodel.com/.well-known/acme-challenge/IzGRM20WaShHgCbOSiajkS_EOu0S8VXEbYT0ZwK5dug",
"hostname": "grupodel.com",
"port": "80",
"addressesResolved": [
"18.117.59.158"
],
"addressUsed": "18.117.59.158"
}
]
}
]
}
2024-09-20 20:02:56,734:DEBUG:acme.client:Storing nonce: 6wrlOJ0T7EFDOlVODLIGhJc5LYMjFCTxTE3Lt2Mmw1ASA1s6QaE
2024-09-20 20:02:56,734:INFO:certbot._internal.auth_handler:Challenge failed for domain grupodel.com
2024-09-20 20:02:56,734:INFO:certbot._internal.auth_handler:http-01 challenge for grupodel.com
2024-09-20 20:02:56,735:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: grupodel.com
Type: dns
Detail: During secondary validation: DNS problem: SERVFAIL looking up CAA for grupodel.com - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2024-09-20 20:02:56,735:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-09-20 20:02:56,735:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-09-20 20:02:56,736:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-09-20 20:02:56,736:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/IzGRM20WaShHgCbOSiajkS_EOu0S8VXEbYT0ZwK5dug
2024-09-20 20:02:56,736:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2024-09-20 20:02:56,736:ERROR:certbot._internal.renewal:Failed to renew certificate grupodel.com with error: Some challenges have failed.
2024-09-20 20:02:56,737:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 533, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1547, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 395, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-09-20 20:02:56,739:DEBUG:certbot._internal.display.obj:Notifying user:


2024-09-20 20:02:56,739:ERROR:certbot._internal.renewal:All simulated renewals failed. The following certificates could not be renewed:
2024-09-20 20:02:56,739:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/grupodel.com/fullchain.pem (failure)
2024-09-20 20:02:56,739:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-09-20 20:02:56,740:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in
sys.exit(main())
File "/usr/lib/python3.9/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1636, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 559, in handle_renewal_request
raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2024-09-20 20:02:56,740:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

2 Likes

I stopped at the first failure.
Maybe they do...
Maybe they don't...

The log was only to help find the problem.
DNS was found to be a problem.
DNS needs to be corrected before continuing your testing.

FYI: Testing is preferred on the staging environment [not production].

2 Likes

Yes, there looks like significant DNS delegation problems. See here for a picture and expand the Errors and Warnings section for description
https://dnsviz.net/d/grupodel.com/dnssec/

See step 4 to review your DNS

4 Likes

Thank you again, i've tried the other ones myself and they don't work either.

This seems to have begun when I changed the NS's in AWS to try to put my server behind CloudFlare, which failed. I also own "grupodel.es" and since I didn't write down the original servers that AWS gave me for grupodel.com when I changed them to the cloudflare ones I just copied the ones it gave me for grupodel.es. I now realize that was a mistake. Do you know where I could get the original ones ?

1 Like

We cross-posted but see that AWS Docs page I linked to.

4 Likes

I want to thank you, and everyone for your replies. I found the original DNS Server addresses in the "Domains" part of Route 53 and now, having replaced the bad ones with the originals, they have worked.

The issue has been resolved. Thanks again!

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.