Certbot validation randomly succeeded or failed

Hello, I'm trying to create a certificate for a domain, but the process randomly succeeds or fails. I used the tool https://letsdebug.net, and the results varied: sometimes errors, sometimes fatal errors, and somtimes succeeded.

My domain is: user-mgmt.digital.auto

I ran this command: sudo certbot --nginx -d user-mgmt.digital.auto -d user-mgmt.digitalauto.tech

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/user-mgmt.digitalauto.tech.conf)

It contains these names: user-mgmt.digitalauto.tech

You requested these names for the new certificate: user-mgmt.digital.auto,
user-mgmt.digitalauto.tech.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/(C)ancel: e
Renewing an existing certificate for user-mgmt.digital.auto and user-mgmt.digitalauto.tech

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: user-mgmt.digital.auto
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for user-mgmt.digital.auto - check that a DNS record exists for this domain; no valid AAAA records found for user-mgmt.digital.auto

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): ubuntu 23.04

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): name.com

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Your DNS is quite the mess:

https://dnsviz.net/d/user-mgmt.digital.auto/dnssec/

It looks like 2 different companies are used as authorative nameservers. The name.com NS actually report an IP address indeed, but apparently wixdns.net NS are also being used currently, reporting an NXDOMAIN result.

See also the trace at Dig web interface - online dns lookup tool.

6 Likes