Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Hi Steve,
Now I have this:
blank to select all options shown (Enter 'c' to cancel): 2
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for fenixapi.tecnoeste.net
Performing the following challenges:
http-01 challenge for fenixapi.tecnoeste.net
Waiting for verification...
Challenge failed for domain fenixapi.tecnoeste.net
http-01 challenge for fenixapi.tecnoeste.net
Cleaning up challenges
Some challenges have failed.
@lestaff Could these DNS incidents be related with the current IPv6 issue or is this an unrelated thing we're seeing for the second time today now, perhaps pointing to a different issue at Let's Encrypt regarding DNS? In this case it seems to be only a single hostname having issues..
No. I think the issue is, he has four nameservers listed in the NS zone (at least so according to online DNS checker), but the other two are missing from WHOIS.
And looking at @JuergenAuer, those four are on the same IP...
Its just aamazing
P.S. @JuergenAuer: is there any chance you can improve the UI a bit?... It looks weird on mobile devices.
Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns1.basepro.com.br (200.98.29.100): Delegation: ns1.basepro.com.br, ns2.basepro.com.br, Zone: ns3.basepro.net, ns4.basepro.net. Name Servers defined in Delegation, missing in Zone: ns1.basepro.com.br, ns2.basepro.com.br.Name Servers defined in Zone, missing in Delegation: ns3.basepro.net, ns4.basepro.net.
But Letsencrypt doesn't check the zone name servers, only the delegation.
So such a configuration is bad - but not Letsencrypt relevant. A lot of domains have that error - with LE-certificates.
Yes, that's possible, but the workaround that's now in place should have fixed this. If that error message is from before we put the workaround in place, please try again.
Hi James,
Still getting this.
blank to select all options shown (Enter 'c' to cancel): 2
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for fenixapi.tecnoeste.net
Performing the following challenges:
http-01 challenge for fenixapi.tecnoeste.net
Waiting for verification...
Challenge failed for domain fenixapi.tecnoeste.net
http-01 challenge for fenixapi.tecnoeste.net
Cleaning up challenges
Some challenges have failed.
Hmm, then it's probably not the known IPv6 issue. Maybe this?
It's interesting that the first errors you reported didn't include During secondary validation, but your most recent error did. That indicates that, at various times, it's been different parts of our validation service that have had trouble reaching you.
We should set up some tooling to make it easy for us (or a community member) to test this idea by sending simultaneous queries for A, AAAA, and CAA from N different sites to a specific authoritative server and see if we get throttled.
blank to select all options shown (Enter 'c' to cancel): 2
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for fenixapi.tecnoeste.net
Performing the following challenges:
http-01 challenge for fenixapi.tecnoeste.net
Waiting for verification...
Challenge failed for domain fenixapi.tecnoeste.net
http-01 challenge for fenixapi.tecnoeste.net
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: fenixapi.tecnoeste.net
Type: dns
Detail: During secondary validation: DNS problem: SERVFAIL looking
up A for fenixapi.tecnoeste.net - the domain's nameservers may be
malfunctioning
I cleaned dns settings, remove A and CAA and recreated, removed apache rewrite options and now I could renew certificate.
Thanks for the quick help!
blank to select all options shown (Enter 'c' to cancel): 2
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for fenixapi.tecnoeste.net
Performing the following challenges:
http-01 challenge for fenixapi.tecnoeste.net
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/httpd/conf.d/fenixapi-le-ssl.conf
Redirecting vhost in /etc/httpd/conf.d/fenixapi.conf to ssl vhost in /etc/httpd/conf.d/fenixapi-le-ssl.conf
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/fenixapi.tecnoeste.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/fenixapi.tecnoeste.net/privkey.pem
Your certificate will expire on 2021-07-05. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew all of your certificates, run "certbot renew"
If you like Certbot, please consider supporting our work by: