Certbot renewal stopped working

My domain is: 3dstest.abcorp.com

I ran this command: certbot renew --dry-run -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/3dstest.abcorp.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for 3dstest.abcorp.com
Performing the following challenges:
http-01 challenge for 3dstest.abcorp.com
Waiting for verification...
Challenge failed for domain 3dstest.abcorp.com
http-01 challenge for 3dstest.abcorp.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: 3dstest.abcorp.com
  Type:   dns
  Detail: During secondary validation: While processing CAA for 3dstest.abcorp.com: DNS problem: looking up CAA for 3dstest.abcorp.com: DNSSEC: Bogus: validation failure <3dstest.abcorp.com. CAA IN>: nodata proof failed from 162.159.26.165

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate 3dstest.abcorp.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/3dstest.abcorp.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.62 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.6 LTS

My hosting provider, if applicable, is: on Azure VM

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 5.0.0

Hello,

I'm having issues renewing the certificate of my site. Usually, auto-renewals are controlled by snap.certbot.renew.timer, which then triggers snap.certbot.renew.service. This has worked fine for a couple years. However, the latest renewals have started to fail. Logs found in /var/log/letsencrypt/ return the same error about secondary validations as above.

My 443 port is open for my Azure VM (since renewals still worked back in July, I suspect it's not the issue). My IT admin has also already confirmed that the CAA for our domain has been correctly set. Could anyone help shed some light here on what could be the issue?

The only change that I can think of since the last successful renewal is that we updated some of the ssl cipher suites that the site accepts. However, this was done in the apache2/sites-available settings, without touching /etc/letsencrypt/options-ssl-apache.conf. Not only that, but the cipher changes were made to our live site, not the test site that I have provided information for here. However, both sites are experiencing the same validation error.

Any help is appreciated, thank you!

This is trying to tell you the problem: When querying for CAA, the DNSSEC response is wrong. It looks like the signature says that the name doesn't exist, even though it does.

Here's a tool that has more details:

Well, the record might be correctly set for abcorp.com, but the CA first needs to query 3dstest.abcorp.com (in case it has a different policy to follow than the parent name), and the query for that gives an incorrect DNSSEC response.

This is a significant problem with your DNS setup, and not just for CAs trying to validate that you control that name. Sadly, we see it a lot with names that are hosted on Network Solutions's DNS servers, as it doesn't seem that they have any idea how to run a DNS server.

It's not related to cipher suites, or VM ports, this is just that you can't validate control over your domain name, since your domain name doesn't work.

Your options are probably:

1. Stick with Network Solutions, and either just remove DNSSEC or try to convince them to give valid DNSSEC responses.
2. Change your DNS service provider to a more competent organization.

Here's a thread from a couple years ago with the same problem; if you search for Network Solutions DNSSEC you'll find more.

Thanks for the response! The thread you attached was enlightening.

Turns out that between my site's last successful cert renewal and today, another network administrator had enabled DNSSEC through Network Solutions. That'll explain it.