Certificate renewal fail made the domain unusable

My domain is: api.pictalk.xyz

I ran this command: certbot certonly --webroot -w '/captain-webroot/api.pictalk.xyz' -d 'api.pictalk.xyz'

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for api.pictalk.xyz
Using the webroot path /captain-webroot/api.pictalk.xyz for all unmatched domains.
Waiting for verification...
Challenge failed for domain api.pictalk.xyz
http-01 challenge for api.pictalk.xyz
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: api.pictalk.xyz
   Type:   dns
   Detail: DNS problem: SERVFAIL looking up A for api.pictalk.xyz -
   the domain's nameservers may be malfunctioning

My web server is (include version): Docker nginx:1-alpine

The operating system my web server runs on is (include version): Ubuntu 18.04 BUT it's all dockerized

My hosting provider, if applicable, is: Digital Ocean, DNS is Namecheap

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
I'm using the very good PaaS https://caprover.com/
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): v1.6

CONTEXT:

I had this domain up and running since 6-7months. All was running smoothly.
But on the april the 20th te renewal of the certificate occurred during Namecheap DNS maitenance.. Since then I always have this error even if I didn't changed my setup since 6 months!

What I have tried:

• Cleaning the cache of the host machine
• Delete the certificate (with certbot & deleting files in the filesystem)
• Rebooting the host machine
• Adding the domain to another container and test if certificate could be created (it wasn't)
• Wait for DNS changes ... ( api.pictalk.yz has the right IP addr)

link to my github issue on Caprover:

https://github.com/caprover/caprover/issues/1089

2021-04-21 15:33:43,802:DEBUG:certbot._internal.main:certbot version: 1.6.0
2021-04-21 15:33:43,803:DEBUG:certbot._internal.main:Arguments: ['--webroot', '-w', '/captain-webroot/api.pictalk.xyz', '-d', 'api.pictalk.xyz']
2021-04-21 15:33:43,803:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-04-21 15:33:43,822:DEBUG:certbot._internal.log:Root logging level set at 20
2021-04-21 15:33:43,822:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-04-21 15:33:43,824:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2021-04-21 15:33:43,828:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f611448fdc0>
Prep: True
2021-04-21 15:33:43,828:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f611448fdc0> and installer None
2021-04-21 15:33:43,828:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-04-21 15:33:43,833:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/87421455', new_authzr_uri=None, terms_of_service=None), 8d0903c7c3ce2aa9f22fe6ae92185270, Meta(creation_dt=datetime.datetime(2020, 5, 29, 11, 13, 31, tzinfo=<UTC>), creation_host='ef55cb490d00', register_to_eff=None))>
2021-04-21 15:33:43,833:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-04-21 15:33:43,835:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-04-21 15:33:44,348:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-04-21 15:33:44,348:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 21 Apr 2021 15:33:44 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "mj7EeLJ2PFY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-04-21 15:33:44,397:INFO:certbot._internal.main:Obtaining a new certificate
2021-04-21 15:33:44,634:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/7506_key-certbot.pem
2021-04-21 15:33:44,710:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/7506_csr-certbot.pem
2021-04-21 15:33:44,711:DEBUG:acme.client:Requesting fresh nonce
2021-04-21 15:33:44,711:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-04-21 15:33:44,838:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-04-21 15:33:44,839:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 21 Apr 2021 15:33:44 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0104ilHW92xuqs96G6iwQwizjmSDIQXvwe7oOMm24n8zYjk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-04-21 15:33:44,839:DEBUG:acme.client:Storing nonce: 0104ilHW92xuqs96G6iwQwizjmSDIQXvwe7oOMm24n8zYjk
2021-04-21 15:33:44,839:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "api.pictalk.xyz"\n    }\n  ]\n}'
2021-04-21 15:33:44,841:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODc0MjE0NTUiLCAibm9uY2UiOiAiMDEwNGlsSFc5Mnh1cXM5Nkc2aXdRd2l6am1TRElRWHZ3ZTdvT01tMjRuOHpZamsiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "R54Z5JgoTQ10nIxwcyy8ETyWSEWSRp6XlZ9faJ_JPA86u4SN2qhtLKUTGE068vMJD8D0bT00XTK3UaUk7JxLBzCO5ow8FhxP6ZGFSE03RI2w3fuTZoSD-_DnKyBuM3b_lTSIapiCMYYrq52kgO309J3wbPQIsxY4IQS0P1QVGgCB9Tx6zoB1x6gy7d6dactLxkx082j7FQ9a3TBtMKW0FP3mtkftvoCEMy3kOrbDiyu4nzwsXxstXxY9SpseeJrtP7_9cMW0WMBkhL7u2zWusHFtHa1iMryxmbv8Zi1gTS4i3DsiYj2p-uLsnK83ET0u2-Hk71xzK_qpL3cqcP7QHA",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImFwaS5waWN0YWxrLnh5eiIKICAgIH0KICBdCn0"
}
2021-04-21 15:33:45,113:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 336
2021-04-21 15:33:45,114:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Wed, 21 Apr 2021 15:33:45 GMT
Content-Type: application/json
Content-Length: 336
Connection: keep-alive
Boulder-Requester: 87421455
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/87421455/9206777412
Replay-Nonce: 0104qFaIDN5xzNEU7elu_gcrGGfieOACPHsxJ2ReaGifNi8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2021-04-28T15:33:45Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "api.pictalk.xyz"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/12512922097"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/87421455/9206777412"
}
2021-04-21 15:33:45,114:DEBUG:acme.client:Storing nonce: 0104qFaIDN5xzNEU7elu_gcrGGfieOACPHsxJ2ReaGifNi8
2021-04-21 15:33:45,115:DEBUG:acme.client:JWS payload:
b''
2021-04-21 15:33:45,116:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/12512922097:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODc0MjE0NTUiLCAibm9uY2UiOiAiMDEwNHFGYUlETjV4ek5FVTdlbHVfZ2NyR0dmaWVPQUNQSHN4SjJSZWFHaWZOaTgiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzEyNTEyOTIyMDk3In0",
  "signature": "37KuBUeWHuFBrzQaGxHTgE2gdoC_1WQMOZIT2bVXWn0KS9SVkUQ6GpIs497c8LvZpUQ6qrYta1vMpxF8FLjvyiiR4yFaACqof7z5yMQzIRJnUNdKP2o09yM5UrQhfaH6WOZzSDTkmAiyKDovhZ67o6_Aiat6FJkkG8m5I-rVkbdk0ha0j6jQfE2XDckN1Br8AUVv6Kk5BnnPBA4zxD9Sp8Bg1sOp-S0X6J-wCnH7B0SqiubD7vX7C-fV4ONbMEuBJuRKoEEUS69yVsY1nPgFP0Fra1-jA72GKKD_P7hToFdYwE4mLemKBl4szwQUFGCmPlADNU1ovQM6680EgrXbeg",
  "payload": ""
}
2021-04-21 15:33:45,270:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12512922097 HTTP/1.1" 200 796
2021-04-21 15:33:45,271:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 21 Apr 2021 15:33:45 GMT
Content-Type: application/json
Content-Length: 796
Connection: keep-alive
Boulder-Requester: 87421455
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0104Iyr1Gix9F3UZYQ3ednV3D0JtG4xELHJpCX0yFvJaMDQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "api.pictalk.xyz"
  },
  "status": "pending",
  "expires": "2021-04-28T15:33:45Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12512922097/aZVukg",
      "token": "6miqCOUaAcsZv1_wmr8ugF9F9GPLRdlm3QfFot58m9c"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12512922097/U4d9Zw",
      "token": "6miqCOUaAcsZv1_wmr8ugF9F9GPLRdlm3QfFot58m9c"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12512922097/MI2hcA",
      "token": "6miqCOUaAcsZv1_wmr8ugF9F9GPLRdlm3QfFot58m9c"
    }
  ]
}
2021-04-21 15:33:45,271:DEBUG:acme.client:Storing nonce: 0104Iyr1Gix9F3UZYQ3ednV3D0JtG4xELHJpCX0yFvJaMDQ
2021-04-21 15:33:45,272:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-04-21 15:33:45,273:INFO:certbot._internal.auth_handler:http-01 challenge for api.pictalk.xyz
2021-04-21 15:33:45,274:INFO:certbot._internal.plugins.webroot:Using the webroot path /captain-webroot/api.pictalk.xyz for all unmatched domains.
2021-04-21 15:33:45,275:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /captain-webroot/api.pictalk.xyz/.well-known/acme-challenge
2021-04-21 15:33:45,278:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /captain-webroot/api.pictalk.xyz/.well-known/acme-challenge/6miqCOUaAcsZv1_wmr8ugF9F9GPLRdlm3QfFot58m9c
2021-04-21 15:33:45,278:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-04-21 15:33:45,279:DEBUG:acme.client:JWS payload:
b'{}'
2021-04-21 15:33:45,281:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/12512922097/aZVukg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODc0MjE0NTUiLCAibm9uY2UiOiAiMDEwNEl5cjFHaXg5RjNVWllRM2VkblYzRDBKdEc0eEVMSEpwQ1gweUZ2SmFNRFEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzEyNTEyOTIyMDk3L2FaVnVrZyJ9",
  "signature": "MUBPjfaQU5fHaNYD5qimjneRfSypC8Ef7zQPSlzQC25mAXeBCzS3Cg5jh6RAQoZ6Dt13LnX1UjWPY4HPPilF85TUvXMV3Ci4bWEZ113TrqrxprGcDA7Mzlu31pRVYFuRpN8F3sQ7okcZGzTrzT6uNDyWG3RqjetN1-IcDBlC40X7jyk2wg7T16SBozWAzgWvLYEfZ31W4fEjxuUWYFyLPeWNfxwjxcQtY70TfGLVolfK5wdUcTZCG1c4uWdrnLZYVZHKEvb1rZyrb7xi7xfdAPvJUhDf9fOgnEDsI_OxBv4oCF4pHjFuIC_QlEeLbyydNwno4FquRCVvdez6MW1gig",
  "payload": "e30"
}
2021-04-21 15:33:45,448:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/12512922097/aZVukg HTTP/1.1" 200 186
2021-04-21 15:33:45,449:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 21 Apr 2021 15:33:45 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 87421455
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/12512922097>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/12512922097/aZVukg
Replay-Nonce: 0103DLGRiZawAbHxUTfQza2UJA8ndiiQghjCc0aSvTGPfac
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12512922097/aZVukg",
  "token": "6miqCOUaAcsZv1_wmr8ugF9F9GPLRdlm3QfFot58m9c"
}
2021-04-21 15:33:45,449:DEBUG:acme.client:Storing nonce: 0103DLGRiZawAbHxUTfQza2UJA8ndiiQghjCc0aSvTGPfac
2021-04-21 15:33:46,451:DEBUG:acme.client:JWS payload:
b''
2021-04-21 15:33:46,453:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/12512922097:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODc0MjE0NTUiLCAibm9uY2UiOiAiMDEwM0RMR1JpWmF3QWJIeFVUZlF6YTJVSkE4bmRpaVFnaGpDYzBhU3ZUR1BmYWMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzEyNTEyOTIyMDk3In0",
  "signature": "g2irYDHhPSMP-sBeFFNlrYSXomYZ3_5W7gY0YrM6jOsff6ecDwCDYiHCGvb-30xRhvP2b_Yjh830Rrpk2SG-9pbX-AcOdWllg1gpMCTfveWaQ0ahqyarvWmpGwXdKa1H2KuO0fxRZrnBVT2DUFIXLH5aYtoZCcWrpE-yfMFrY7d7lZw68HtUJ4z48l_V5H9nD3TM6CNWp17I2ZM8YDIs010GxP4HooRnm_Sd40UkmQVNBi4eojcOy7hWHT1fsOw3Cpr9C92hSQlySjOfEZsluQ9lsuk2DNb60gUPyEgUcxB-6lEvtpeO9CXvNHss5JniV-OhLv0o_lNCD7pcpfcEKg",
  "payload": ""
}
2021-04-21 15:33:46,608:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12512922097 HTTP/1.1" 200 635
2021-04-21 15:33:46,608:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 21 Apr 2021 15:33:46 GMT
Content-Type: application/json
Content-Length: 635
Connection: keep-alive
Boulder-Requester: 87421455
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0104ev7kv9dhWnllBhCkiE45ejfUU8SOEX0rUofQzA8sYB0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "api.pictalk.xyz"
  },
  "status": "invalid",
  "expires": "2021-04-28T15:33:45Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: SERVFAIL looking up A for api.pictalk.xyz - the domain's nameservers may be malfunctioning",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12512922097/aZVukg",
      "token": "6miqCOUaAcsZv1_wmr8ugF9F9GPLRdlm3QfFot58m9c",
      "validated": "2021-04-21T15:33:45Z"
    }
  ]
}
2021-04-21 15:33:46,608:DEBUG:acme.client:Storing nonce: 0104ev7kv9dhWnllBhCkiE45ejfUU8SOEX0rUofQzA8sYB0
2021-04-21 15:33:46,609:WARNING:certbot._internal.auth_handler:Challenge failed for domain api.pictalk.xyz
2021-04-21 15:33:46,610:INFO:certbot._internal.auth_handler:http-01 challenge for api.pictalk.xyz
2021-04-21 15:33:46,611:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: api.pictalk.xyz
Type:   dns
Detail: DNS problem: SERVFAIL looking up A for api.pictalk.xyz - the domain's nameservers may be malfunctioning
2021-04-21 15:33:46,611:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-04-21 15:33:46,611:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-04-21 15:33:46,611:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-04-21 15:33:46,612:DEBUG:certbot._internal.plugins.webroot:Removing /captain-webroot/api.pictalk.xyz/.well-known/acme-challenge/6miqCOUaAcsZv1_wmr8ugF9F9GPLRdlm3QfFot58m9c
2021-04-21 15:33:46,612:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-04-21 15:33:46,613:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot', 'console_scripts', 'certbot')()
  File "/opt/certbot/src/certbot/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1353, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1237, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 418, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 351, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 398, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-04-21 15:33:46,614:ERROR:certbot._internal.log:Some challenges have failed.

Welcome to the Let's Encrypt Community, Alexandros

In this case, the certificate renewal seems to have actually helped identify a problem with the nameservers for your domain name. In fact, the nameservers are so broken that I can't even identify them with dig.

Fortunately, JuergenAuer has identified the cause of the problem and provided a solution below.

Screenshot_20210421-102759_Samsung Internet1440×1081 98.7 KB

Screenshot_20210421-102832_Samsung Internet1440×1080 101 KB

Screenshot_20210421-102849_Samsung Internet1440×1084 101 KB

Yet curiously, I can reach api.pictalk.xyz with redirect-checker via both http and https.

It looks like your DNS hosting is through Namecheap and you are also using DigitalOcean. You might find the following helpful:

Hi @Ratatinator97

that result is expected, see your check, created yesterday - api.pictalk.xyz - Make your website better - DNS, redirects, mixed content, certificates

You use DNSSEC, a DS RR exists in the parent zone. But there is no matching DNSKEY, so there is no chain of trust.

That's a ServFail.

Refresh your DNSSEC or remove it.

Thanks for the assist, @JuergenAuer! Curiously, MXToolBox didn't identify this issue.

@JuergenAuer

So do some services just ignore the DNSSEC issue? I'm curious because two of the methods I tried did retrieve working A records.

That's curious because I have it disabled:

That's strange because I don't use DigitalOcean's DNS... All worked fine until the renewal !

That's not curious, that's expected.

If you use DNSSEC with your old DNS provider and then change your provider without activating DNSSEC, the old DS exists. But no matching DNSKEY.

That's exact your error message.

Enable it, wait, disable it (or let it enabled, it's an amazing feature).

So I just activated and de-activated the DNSSEC option. I'm going to wait some hours until the changes take effect

I see a lot around here of people who say "Let's Encrypt can't find my IP" when really it's "Anybody using DNSSEC can't find my IP". But if you want an answer as to why a lot of systems aren't checking DNSSEC yet, I'm not sure what to tell you. Somehow, the technology around DNS is very slow for people to update.

But the plot is that I never activated it... I currently use DNSCrypt on my main machine, it's awesome

Now your zone looks different - see your newest check - api.pictalk.xyz - Make your website better - DNS, redirects, mixed content, certificates

Error: DNSKEY 56064 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.

A new DNSKEY is created.

Now it's required that your DNS provider updates the DS RR in the parent zone.

dig DS pictalk.xyz

shows the old DS with the 20435, the new 56064 is required.

PS: Querying the name servers directly the new value is now visible.

dig DS pictalk.xyz @y.nic.xyz.

Much like IPv6 support. Coming to a server soon near you (in the fall of 2095).

I just activated DNSSEC to see what happens

Very strange, I'll definitively take a look at it !

https://dnssec-analyzer.verisignlabs.com/api.pictalk.xyz Working now !

Yep - rechecked your domain - api.pictalk.xyz - Make your website better - DNS, redirects, mixed content, certificates - now it's green.