DNS challenge fails across multiple servers

My domain is:

ilovesoho.co.uk

I ran this command:

certbot renew

It produced this output:

Challenge failed for domain ilovesoho.co.uk

My web server is (include version):

Centos 7.6

The operating system my web server runs on is (include version):

Apache

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1.9

I have been trying to renew multiple certs on various servers today, on the first server (which I have been using certbot for years) only 80% of the domains renewed and the rest kept saying the domain checks couldn't find the domains. I kept running the renew command and eventually it found the domain records, despite me changing nothing. I have never encountered this problem before. The stated domain above could not renew as the number of retries for that domain has now hit a limit.

I have now gone onto a completely different server that is totally unconnected to the first sever and I am again getting errors saying the domain cannot be reached, this is after installing a new cert, which takes about 30 mins for the acme challenge - I now have to start this all over again with no guarantee the domain will be found!

Clearly something is going wrong with the domains lookups on your end, there are no issues with any of my domains and I have ran so many renewals that it couldn't possibly be the same problem with all of them. I only have 11 more hours to get this server updated and it isn't looking promising, especially if your limits decide to block me for errors that are not our fault.

Can this please be sorted out asap as I have many customers relying on this working.

"Domain not found" or "Domain cannot be reached" are not error messages returned by Let's Encrypt so we have no idea what you are talking about.

Certbot logs could be helpful, then community members might be able to have a closer look.

6 Likes

Can you show the result of below command? We need to see the reason for the error - not just that it failed.

certbot renew --dry-run --cert-name ilovesoho.co.uk

(dry-run will avoid running into rate limits)

Also, please show the contents of the conf file for this cert in the /etc/letsencrypt/renewal folder

6 Likes

I tried deleting the cert so that doesn't work anymore, you'd need the error for installing failing.

Ok, do you have that message?

6 Likes

Well I tried again and it went through, essentially the problem was that cerbot was checking the A and AAA records for each domain and randomly it was not finding a positive match for the records.

Just for clarity, certbot does not do that but the Let's Encrypt server will when processing a cert request using the HTTP challenge. The LE servers use the IPs in the AAAA and/or A record, respectively, to get the challenge data from your server to validate your control of that domain.

Did you change your DNS servers recently? Because I see a mismatch of name servers for your domain. You might want to correct that and see if you get more reliability. Your registrar only has 2 name servers listed but you list 3 in your records. From the dnsviz.net test site:

co.uk to ilovesoho.co.uk: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the co.uk zone): ns3.memset.com

7 Likes

Why?
What would that "fix"?

5 Likes

I thought it wasn't being used. It was :slight_smile:

No changes, but maybe there were some host level problems.

Please show the output of:
certbot certificates

5 Likes

Certificate Name: ilovesoho.co.uk
Serial Number: 4c60793d990e8e0455514116bbc7a4409a9
Domains: ilovesoho.co.uk
Expiry Date: 2022-10-09 13:05:59+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/ilovesoho.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ilovesoho.co.uk/privkey.pem

That one looks good for 88 more days.
Are there any other problems?

5 Likes