Certbot renew DNS Issue

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I do want to mention that I was successfully able to create a cert for my domain without the www part. Its just when I went back to my terminal to add a cert for WWW part I kept getting DNS issues , even though my DNS A records all point to my servers IP.

My domain is:

I ran this command:
certbot --apache -d www.artisanct.com

It produced this output:

My web server is (include version):
Ubuntu 20.04.3 LTS

The operating system my web server runs on is (include version):
GNU/Linux 5.4.0-96-generic x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.31.0

DNSSEC for the non-existing CAA DNS resource record is bogus, see https://dnsviz.net/d/www.artisanct.com/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk= It seems to be answering with a NSEC record for artisanct.com whereas a NSEC record for the non-existance of www.artisanct.com/CAA was expected.

This is something your DNS provider should fix. A workaround might be to add an actual CAA record yourself, so there won't be a bogus NSEC record.


Thank you first off with the fast reply ! I'm just the web developer for the company and I shared your answer with the IT team.

If I may ask, what caused this issue to begin with ? We had this issue last summer but seemed to resolve it. This issue just now only occurred when I had to go in and renew the site certs.

1 Like

I don't know, Let's Encrypt validates DNSSEC for some time now and while optional, if present it must succeed. So nothing has changed there for YEARS I believe.

Why your DNSSEC is suddenly broken now? I dunno, you would need to ask your DNS service provider.

Also, please do not issue so much duplicate certificates as you've done recently: crt.sh | artisanct.com You're now already rate limited for certificates with just artisanct.com.

You might want to combine the apex domain with the www subdomain again as was done on 2022-06-27, once the DNS issue has been fixed.


I did originally ran *certbot --apache -d artisanct.com -d www.artisanct.com * but the first one only when through.

But you already had a certificate for just artisanct.com from 2022-09-22, which is valid until somewhere in December. So there wouldn't be a reason to get a certificate for just artisanct.com in the first place.

If you tried that just to test things out, you should have done so on the staging environment and not on the production environment. The latter one is not for testing.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.