Certification failed when trying to get certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: api.rajshriplastiwood.com

I ran this command: sudo certbot --nginx -d api.rajshriplastiwood.com

It produced this output: > Saving debug log to /var/log/letsencrypt/letsencrypt.log

Requesting a certificate for api.rajshriplastiwood.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: api.rajshriplastiwood.com
Type: dns
Detail: DNS problem: query timed out looking up A for api.rajshriplastiwood.com; DNS problem: query timed out looking up AAAA for api.rajshriplastiwood.com

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.24.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 24 LTS

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.8.0

2

some addition info

Lets encrypt logs: https://termbin.com/5k3y
output from curl -i api.rajshriplastiwood.com/.well-known/acme-challenge/Test123:

HTTP/1.1 404 NOT FOUND
Server: nginx/1.24.0 (Ubuntu)
Date: Thu, 03 Jul 2025 16:50:39 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 207
Connection: keep-alive
Access-Control-Allow-Origin: *

<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
3

Welcome to the Let's Encrypt Community! :slightly_smiling_face:

Google is seeing an A record... :thinking:

id 47342
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
api.rajshriplastiwood.com. IN A
;ANSWER
api.rajshriplastiwood.com. 14392 IN A 31.97.61.130
;AUTHORITY
;ADDITIONAL

id 22273
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
api.rajshriplastiwood.com. IN AAAA
;ANSWER
;AUTHORITY
rajshriplastiwood.com. 1800 IN SOA ns1.phpcloudserver.com. asheeshrathore.pnpuniverse.com. 2025070116 3600 1800 1209600 86400
;ADDITIONAL
2 Likes
5

The response from the nameservers is rather slow.

2 Likes
6

Looks like some of the DNS servers aren't working, and/or the delegation is wrong.

4 Likes
7

I concur, @petercooperjr.

2 Likes
8

Sorry, I'm a bit new to this. What can/should I do?
I've been waiting for 2 days for it to propagate.

9

There's nothing to "propagate", but you need your domain name to be working before you can get a certificate (or before anyone can access your web site).

The .com nameservers say that your DNS server is ns1.phpcloudserver.com & ns2.phpcloudserver.com which are both (!) at 192.177.75.10. But that IP isn't actually responding.

What you should do is configure your DNS servers with your registrar, and ensure that any glue records needed are correct. But we don't know what your correct configuration is supposed to be.

4 Likes
10

The domain name correctly points to the API and is working in the browser.
I'm using cPanel to manage my domain, I tried reading the record.

I tried checking on: DNS Checker - DNS Check Propagation Tool

A lot of them are invalid, I'm unsure why.

11

The problem seems to be that ns1.phpcloudserver.com etc are not responding to UDP queries like a normal DNS server would (but they are answering on TCP). You could raise this with them (assuming you are not the administrator) or you could move to a different DNS provider like cloudflare etc.

[edit, a yep, one of the "glue" records is a private IP]

2 Likes
12

Probably because of the wrong "glue" records as Peter noted earlier. From the DNSviz link he posted

image
image588×918 60.9 KB

For example, using the IP address for your ns1 name server works. But, using the IP in the glue record fails. This is the first thing you should fix

# Using IP in glue record
dig +noall +answer A api.rajshriplastiwood.com @192.177.75.10
;; communications error to 192.177.75.10#53: timed out
;; communications error to 192.177.75.10#53: timed out
;; communications error to 192.177.75.10#53: timed out
;; no servers could be reached

# Using IP from DNS for ns1.phpcloudserver.com
dig +noall +answer A api.rajshriplastiwood.com @103.131.24.11
api.rajshriplastiwood.com. 14400 IN     A       31.97.61.130

You can easily reproduce this DNS query problem using https://unboundtest.com

4 Likes