DNS error while renewing certificates

tribedigital · March 3, 2020, 8:40pm

Same issue here:

cmd ran:

[root@otisspunkmeyer ~]# certbot renew --force-renewal

Attempting to renew cert (otisspunkmeyer.eu) from /etc/letsencrypt/renewal/otisspunkmeyer.eu.conf produced an unexpected error: Failed authorization procedure. www.otisspunkmeyer.eu (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for www.otisspunkmeyer.eu - the domain's nameservers may be malfunctioning, otisspunkmeyer.eu (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for otisspunkmeyer.eu - the domain's nameservers may be malfunctioning. Skipping.

**Attempting to renew cert (www.otisspunkmeyer.eu) from /etc/letsencrypt/renewal/www.otisspunkmeyer.eu.conf produced an unexpected error: Failed authorization procedure. www.otisspunkmeyer.eu (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for www.otisspunkmeyer.eu - the domain's nameservers may be malfunctioning. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/otisspunkmeyer.eu/fullchain.pem (failure)
  /etc/letsencrypt/live/www.otisspunkmeyer.eu/fullchain.pem (failure)**


IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.otisspunkmeyer.eu
   Type:   None
   Detail: DNS problem: SERVFAIL looking up A for
   www.otisspunkmeyer.eu - the domain's nameservers may be
   malfunctioning
 - The following errors were reported by the server:

   Domain: www.otisspunkmeyer.eu
   Type:   None
   Detail: DNS problem: SERVFAIL looking up A for
   www.otisspunkmeyer.eu - the domain's nameservers may be
   malfunctioning

   Domain: otisspunkmeyer.eu
   Type:   None
   Detail: DNS problem: SERVFAIL looking up A for otisspunkmeyer.eu -
   the domain's nameservers may be malfunctioning

but DNS works as expected:

octav@Octavs-MacBook-Pro  ~  dig any otisspunkmeyer.eu                                                                                                                ✔  3528  22:38:17

; <<>> DiG 9.10.6 <<>> any otisspunkmeyer.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8372
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;otisspunkmeyer.eu.		IN	ANY

;; ANSWER SECTION:
otisspunkmeyer.eu.	6182	IN	NS	ns24.worldnic.com.
otisspunkmeyer.eu.	6182	IN	NS	ns23.worldnic.com.
otisspunkmeyer.eu.	2582	IN	A	63.33.153.47
otisspunkmeyer.eu.	6182	IN	SOA	ns23.worldnic.com. namehost.worldnic.com. 119021209 10800 3600 604800 3600

;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Mar 03 22:38:19 EET 2020
;; MSG SIZE  rcvd: 157

 octav@Octavs-MacBook-Pro  ~  dig any www.otisspunkmeyer.eu                                                                                                            ✔  3528  22:38:19

; <<>> DiG 9.10.6 <<>> any www.otisspunkmeyer.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20313
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.otisspunkmeyer.eu.		IN	ANY

;; ANSWER SECTION:
www.otisspunkmeyer.eu.	3599	IN	A	63.33.153.47

;; Query time: 168 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Mar 03 22:38:23 EET 2020
;; MSG SIZE  rcvd: 66

yuriks · March 3, 2020, 8:56pm

@tribedigital I ran a quick test and it seems that while it usually works, sometimes your server times out serving the query. It seems to just be unreliable. I’d check to see if whatever is hosting that DNS is having issues, or just try again later.

yuriks · March 3, 2020, 8:58pm

I moved these posts to a new topic because the issues don’t seem to be related.

cc024947515 · March 3, 2020, 9:55pm

This exact problem is happening to me too right now (March 3rd, 2020). I'm also on "worldnic" name servers from network solutions. So you're probably affected by the issue being discussed in the thread below, where for some reason LetsEncrypt can't get valid DNS responses from our DNS provider. All seems related to web.com/networksolutions.com/register.com which all tend to use these "worldnic.com" name servers.

I'm planning to move away from NetworkSolutions for many reasons, this is just the icing on the cake; they seemingly are blocking LetsEncrypt datacenters from querying your DNS records. I'd rather not have my DNS provider decide who can query my public name records.

mnordhoff · March 4, 2020, 6:19am

FYI, the other threads say that the issue has apparently been fixed a few hours ago.

tribedigital · March 4, 2020, 9:36am

HI, yes, can confirm that certificate was renewed.
Thank you!!

system · April 3, 2020, 9:36am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't renew certificate Help	9	3387	November 20, 2019
Can't renew certificate. DNS problem: SERVFAIL looking up A for Help	4	2052	October 5, 2017
Problem with Certificate-Renew using certbot Help	12	2263	May 14, 2019
Failed authorization procedure via DNS Help	8	3125	February 9, 2018
Cant renew my certificat Help	11	2273	February 14, 2018

DNS error while renewing certificates

Related topics