DNS error while renewing certificates

Same issue here:

cmd ran:

[root@otisspunkmeyer ~]# certbot renew --force-renewal

Attempting to renew cert (otisspunkmeyer.eu) from /etc/letsencrypt/renewal/otisspunkmeyer.eu.conf produced an unexpected error: Failed authorization procedure. www.otisspunkmeyer.eu (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for www.otisspunkmeyer.eu - the domain's nameservers may be malfunctioning, otisspunkmeyer.eu (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for otisspunkmeyer.eu - the domain's nameservers may be malfunctioning. Skipping.

**Attempting to renew cert (www.otisspunkmeyer.eu) from /etc/letsencrypt/renewal/www.otisspunkmeyer.eu.conf produced an unexpected error: Failed authorization procedure. www.otisspunkmeyer.eu (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for www.otisspunkmeyer.eu - the domain's nameservers may be malfunctioning. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/otisspunkmeyer.eu/fullchain.pem (failure)
  /etc/letsencrypt/live/www.otisspunkmeyer.eu/fullchain.pem (failure)**


IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.otisspunkmeyer.eu
   Type:   None
   Detail: DNS problem: SERVFAIL looking up A for
   www.otisspunkmeyer.eu - the domain's nameservers may be
   malfunctioning
 - The following errors were reported by the server:

   Domain: www.otisspunkmeyer.eu
   Type:   None
   Detail: DNS problem: SERVFAIL looking up A for
   www.otisspunkmeyer.eu - the domain's nameservers may be
   malfunctioning

   Domain: otisspunkmeyer.eu
   Type:   None
   Detail: DNS problem: SERVFAIL looking up A for otisspunkmeyer.eu -
   the domain's nameservers may be malfunctioning

but DNS works as expected:

octav@Octavs-MacBook-Pro  ~  dig any otisspunkmeyer.eu                                                                                                                ✔  3528  22:38:17

; <<>> DiG 9.10.6 <<>> any otisspunkmeyer.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8372
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;otisspunkmeyer.eu.		IN	ANY

;; ANSWER SECTION:
otisspunkmeyer.eu.	6182	IN	NS	ns24.worldnic.com.
otisspunkmeyer.eu.	6182	IN	NS	ns23.worldnic.com.
otisspunkmeyer.eu.	2582	IN	A	63.33.153.47
otisspunkmeyer.eu.	6182	IN	SOA	ns23.worldnic.com. namehost.worldnic.com. 119021209 10800 3600 604800 3600

;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Mar 03 22:38:19 EET 2020
;; MSG SIZE  rcvd: 157

 octav@Octavs-MacBook-Pro  ~  dig any www.otisspunkmeyer.eu                                                                                                            ✔  3528  22:38:19

; <<>> DiG 9.10.6 <<>> any www.otisspunkmeyer.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20313
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.otisspunkmeyer.eu.		IN	ANY

;; ANSWER SECTION:
www.otisspunkmeyer.eu.	3599	IN	A	63.33.153.47

;; Query time: 168 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Mar 03 22:38:23 EET 2020
;; MSG SIZE  rcvd: 66

@tribedigital I ran a quick test and it seems that while it usually works, sometimes your server times out serving the query. It seems to just be unreliable. I’d check to see if whatever is hosting that DNS is having issues, or just try again later.

2 Likes

I moved these posts to a new topic because the issues don’t seem to be related.

1 Like

This exact problem is happening to me too right now (March 3rd, 2020). I’m also on “worldnic” name servers from network solutions. So you’re probably affected by the issue being discussed in the thread below, where for some reason LetsEncrypt can’t get valid DNS responses from our DNS provider. All seems related to web.com/networksolutions.com/register.com which all tend to use these “worldnic.com” name servers.


I’m planning to move away from NetworkSolutions for many reasons, this is just the icing on the cake; they seemingly are blocking LetsEncrypt datacenters from querying your DNS records. I’d rather not have my DNS provider decide who can query my public name records.

3 Likes

FYI, the other threads say that the issue has apparently been fixed a few hours ago.

1 Like

HI, yes, can confirm that certificate was renewed.
Thank you!!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.