Certificate not renewing: dns error

Used to work fine, up to now. DNS looks fine, also checked with external DNS checking websites.

My domain is: camicom.com

I ran this command: /usr/local/bin/certbot renew --pre-hook ‘service apache24 stop’ --post-hook ‘service apache24 start’

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /usr/local/etc/letsencrypt/renewal/mail.camicom.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: service apache24 stop
Output from service:
Stopping apache24.
Waiting for PIDS: 67033.

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.camicom.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mail.camicom.com) from /usr/local/etc/letsencrypt/renewal/mail.camicom.com.conf produced an unexpected error: Failed authorization procedure. mail.camicom.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for mail.camicom.com - the domain’s nameservers may be malfunctioning. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/mail.camicom.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/mail.camicom.com/fullchain.pem (failure)


Running post-hook command: service apache24 start
Output from service:
Performing sanity check on apache24 configuration:
Starting apache24.

Error output from service:
Syntax OK

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.camicom.com
    Type: None
    Detail: DNS problem: SERVFAIL looking up A for mail.camicom.com -
    the domain’s nameservers may be malfunctioning

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): FreeBSD 11.2

My hosting provider, if applicable, is: self-hosting, DNS with DeHeeg

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

1 Like

Hi @iamcamiel

your domain uses DNSSEC - but your DNSSEC is invalid - see https://check-your-website.server-daten.de/?q=mail.camicom.com

2020-07-25.mail.camicom.com

Your parent zone has a valid DS, so your parent zone says: Your zone must be signed.

Your zone has a DNSKEY. But that DNSKEY doesn’t match the values of the parent DS.

So it’s impossible to create a chain of trust.

Revalidate your zone.

2 Likes

Thanks for that! I’ll forward this to my DNS provider.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.