The operating system my web server runs on is (include version):
Apache
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.9
I have been trying to renew multiple certs on various servers today, on the first server (which I have been using certbot for years) only 80% of the domains renewed and the rest kept saying the domain checks couldn't find the domains. I kept running the renew command and eventually it found the domain records, despite me changing nothing. I have never encountered this problem before. The stated domain above could not renew as the number of retries for that domain has now hit a limit.
I have now gone onto a completely different server that is totally unconnected to the first sever and I am again getting errors saying the domain cannot be reached, this is after installing a new cert, which takes about 30 mins for the acme challenge - I now have to start this all over again with no guarantee the domain will be found!
Clearly something is going wrong with the domains lookups on your end, there are no issues with any of my domains and I have ran so many renewals that it couldn't possibly be the same problem with all of them. I only have 11 more hours to get this server updated and it isn't looking promising, especially if your limits decide to block me for errors that are not our fault.
Can this please be sorted out asap as I have many customers relying on this working.
Well I tried again and it went through, essentially the problem was that cerbot was checking the A and AAA records for each domain and randomly it was not finding a positive match for the records.
Just for clarity, certbot does not do that but the Let's Encrypt server will when processing a cert request using the HTTP challenge. The LE servers use the IPs in the AAAA and/or A record, respectively, to get the challenge data from your server to validate your control of that domain.
Did you change your DNS servers recently? Because I see a mismatch of name servers for your domain. You might want to correct that and see if you get more reliability. Your registrar only has 2 name servers listed but you list 3 in your records. From the dnsviz.net test site:
co.uk to ilovesoho.co.uk: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the co.uk zone): ns3.memset.com
