Certificate renewal simulation using certbot 1.21.0 windows failed

My domain is: mis.integragroup-indonesia.com

I ran this command: certbot renew --dry-run -v

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing C:\Certbot\renewal\mis.integragroup-indonesia.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for mis.integragroup-indonesia.com
Performing the following challenges:
http-01 challenge for mis.integragroup-indonesia.com
A web.config file has not been created in c:\inetpub\wwwroot\.well-known\acme-challenge because another one already exists.
Waiting for verification...
Challenge failed for domain mis.integragroup-indonesia.com
http-01 challenge for mis.integragroup-indonesia.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: mis.integragroup-indonesia.com
  Type:   dns
  Detail: DNS problem: query timed out looking up A for mis.integragroup-indonesia.com; DNS problem: query timed out looking up AAAA for mis.integragr
oup-indonesia.com

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their conten
t from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Not cleaning up the web.config file in c:\inetpub\wwwroot\.well-known\acme-challenge because it is not generated by Certbot.
Failed to renew certificate mis.integragroup-indonesia.com-0001 with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing C:\Certbot\renewal\mis.integragroup-indonesia.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for mis.integragroup-indonesia.com
Performing the following challenges:
http-01 challenge for mis.integragroup-indonesia.com
A web.config file has not been created in c:\inetpub\wwwroot\.well-known\acme-challenge because another one already exists.
Waiting for verification...
Challenge failed for domain mis.integragroup-indonesia.com
http-01 challenge for mis.integragroup-indonesia.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: mis.integragroup-indonesia.com
  Type:   dns
  Detail: DNS problem: query timed out looking up A for mis.integragroup-indonesia.com; DNS problem: query timed out looking up AAAA for 
          mis.integragroup-indonesia.com

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve 
      their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Not cleaning up the web.config file in c:\inetpub\wwwroot\.well-known\acme-challenge because it is not generated by Certbot.
Failed to renew certificate mis.integragroup-indonesia.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  C:\Certbot\live\mis.integragroup-indonesia.com-0001\fullchain.pem (failure)
  C:\Certbot\live\mis.integragroup-indonesia.com\fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

My web server is (include version): IIS 8

The operating system my web server runs on is (include version): Windows Server 2012

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Welcome @dav

Looks like you have a DNS problem. I don't know enough about this DNS issue to help but you should review the errors shown here:
https://dnsviz.net/d/mis.integragroup-indonesia.com/dnssec/

Let's Encrypt uses a method for DNS lookup similar to this so you can use this too
https://unboundtest.com/m/A/mis.integragroup-indonesia.com/EREJ2SHO

3 Likes

It seems like all four authoritative DNS servers are behind some sort of GeoProtection device.
Just about the craziest thing I've seen today - blocking DNS servers from getting DNS requests!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.