DNS Issue Renewing Certificate

I have certbot installed on several servers, CentOS 6, 7 and 8. The issue only happens in CentOS 7. It just started happening about a month ago. I have tried dozens of times on multiple days in the past month and always get an issue. I have been using certbot on these servers for up to a couple of years.

I have tried everything.

• Checked Firewall (and rechecked dozens of times) and made sure off on both 1&1's end and on server (iptables)
• Updated everything on server
• Uninstalled and re-installed certbot
• Uninstalled and re-installed Bind
• Made sure Bind didn't have fetchlimit or RRL setup (which it didn't, but I specifically setup with huge limits and 0 limits, nothing helped).

Everytime it fails it is different domains it is failing on. Sometimes it fails on ALOT of domains like in the example below, and sometimes it fails on just 3-4 domains.

My domain is:
toolbelt.marketing

I ran this command:
certbot certonly --cert-name toolbelt.marketing --webroot -w /var/www/wmt1648/web -d toolbelt.marketing -w /var/www/wmt1648/web -d www.toolbelt.marketing -w /var/www/wmt1648/phpmyadmin -d mysql.toolbelt.marketing -w /var/www/wmt1648/roundcube -d mail.toolbelt.marketing -w /var/www/wmt1656/web -d attractionmarketingpro.com -w /var/www/wmt1656/web -d www.attractionmarketingpro.com -w /var/www/wmt1662/web -d emailcashclub.com -w /var/www/wmt1662/web -d www.emailcashclub.com -w /var/www/wmt1663/web -d ourhbn.com -w /var/www/wmt1663/web -d www.ourhbn.com -w /var/www/wmt1668/web -d getleadresponse.com -w /var/www/wmt1668/web -d www.getleadresponse.com -w /var/www/wmt1671/web -d cash4commodities.net -w /var/www/wmt1671/web -d www.cash4commodities.net -w /var/www/wmt1672/web -d payhostinghere.com -w /var/www/wmt1672/web -d www.payhostinghere.com -w /var/www/wmt1700/web -d newbiesonfire.com -w /var/www/wmt1700/web -d www.newbiesonfire.com -w /var/www/wmt1702/web -d vcardlistings.com -w /var/www/wmt1702/web -d www.vcardlistings.com -w /var/www/wmt1709/web -d vipcruisingclub.com -w /var/www/wmt1709/web -d www.vipcruisingclub.com -w /var/www/wmt1409/web -d smartpaysolution.com -w /var/www/wmt1409/web -d www.smartpaysolution.com -w /var/www/wmt1667/web -d invoiceprocessingsystems.com -w /var/www/wmt1667/web -d www.invoiceprocessingsystems.com -w /var/www/wmt1710/web -d buyrpmhosting.com -w /var/www/wmt1710/web -d www.buyrpmhosting.com -w /var/www/wmt1711/web -d buyrpmlicensing.com -w /var/www/wmt1711/web -d www.buyrpmlicensing.com -w /var/www/wmt1700/web -d novatosenfuego.com -w /var/www/wmt1700/web -d www.novatosenfuego.com -w /var/www/wmt1675/web -d cambodiacamping.com -w /var/www/wmt1675/web -d www.cambodiacamping.com -w /var/www/wmt1724/web -d realestatemortgagegrants.org -w /var/www/wmt1724/web -d www.realestatemortgagegrants.org -w /var/www/wmt1722/web -d fearlessentrepreneurmovement.com -w /var/www/wmt1722/web -d www.fearlessentrepreneurmovement.com -w /var/www/wmt1501/web -d funnelsondemand.com -w /var/www/wmt1501/web -d www.funnelsondemand.com -w /var/www/wmt1743/web -d textprospector.com -w /var/www/wmt1743/web -d www.textprospector.com -w /var/www/wmt1501/web -d sms.funnelsondemand.com -w /var/www/wmt1677/web -d cultivatingdemand.com -w /var/www/wmt1677/web -d www.cultivatingdemand.com -w /var/www/wmt1748/web -d iperegistration.com -w /var/www/wmt1748/web -d www.iperegistration.com -w /var/www/wmt1749/web -d payipehosting.com -w /var/www/wmt1749/web -d www.payipehosting.com -w /var/www/wmt1750/web -d invoiceprocessingelite.com -w /var/www/wmt1750/web -d www.invoiceprocessingelite.com -w /var/www/wmt1730/web -d nowlaters.com -w /var/www/wmt1730/web -d www.nowlaters.com -w /var/www/wmt1772/web -d youronlinetraffic.store -w /var/www/wmt1772/web -d www.youronlinetraffic.store -w /var/www/wmt1644/web -d shareanumber.cash -w /var/www/wmt1644/web -d www.shareanumber.cash -w /var/www/wmt1781/web -d the3tmethod.com -w /var/www/wmt1781/web -d www.the3tmethod.com

It produced this output:
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: mysql.toolbelt.marketing
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for
  mysql.toolbelt.marketing - the domain's nameservers may be
  malfunctioning

  Domain: sms.funnelsondemand.com
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for
  sms.funnelsondemand.com - the domain's nameservers may be
  malfunctioning

  Domain: toolbelt.marketing
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for toolbelt.marketing -
  the domain's nameservers may be malfunctioning

  Domain: www.payhostinghere.com
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for
  www.payhostinghere.com - the domain's nameservers may be
  malfunctioning

  Domain: invoiceprocessingelite.com
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for
  invoiceprocessingelite.com - the domain's nameservers may be
  malfunctioning

  Domain: smartpaysolution.com
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for smartpaysolution.com

  • the domain's nameservers may be malfunctioning

  Domain: www.buyrpmhosting.com
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for
  www.buyrpmhosting.com - the domain's nameservers may be
  malfunctioning

  Domain: www.cash4commodities.net
  Type: dns
  Detail: No valid IP addresses found for www.cash4commodities.net

  Domain: www.getleadresponse.com
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for
  www.getleadresponse.com - the domain's nameservers may be
  malfunctioning

  Domain: www.buyrpmlicensing.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.buyrpmlicensing.com

  Domain: www.cambodiacamping.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.cambodiacamping.com

  Domain: www.cultivatingdemand.com
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for
  www.cultivatingdemand.com - the domain's nameservers may be
  malfunctioning

  Domain: www.emailcashclub.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.emailcashclub.com

  Domain: www.fearlessentrepreneurmovement.com
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for
  www.fearlessentrepreneurmovement.com - the domain's nameservers may
  be malfunctioning

  Domain: www.funnelsondemand.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.funnelsondemand.com

  Domain: www.invoiceprocessingelite.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.invoiceprocessingelite.com

  Domain: www.invoiceprocessingsystems.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.invoiceprocessingsystems.com

  Domain: www.iperegistration.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.iperegistration.com

  Domain: www.newbiesonfire.com
  Type: dns
  Detail: No valid IP addresses found for www.newbiesonfire.com

  Domain: www.novatosenfuego.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.novatosenfuego.com

  Domain: www.ourhbn.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.ourhbn.com

  Domain: www.payipehosting.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.payipehosting.com

  Domain: www.realestatemortgagegrants.org
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.realestatemortgagegrants.org

  Domain: www.shareanumber.cash
  Type: dns
  Detail: No valid IP addresses found for www.shareanumber.cash

  Domain: www.smartpaysolution.com
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for
  www.smartpaysolution.com - the domain's nameservers may be
  malfunctioning

  Domain: www.textprospector.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.textprospector.com

  Domain: www.the3tmethod.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.the3tmethod.com

  Domain: www.toolbelt.marketing
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for
  www.toolbelt.marketing - the domain's nameservers may be
  malfunctioning

  Domain: www.vcardlistings.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.vcardlistings.com

  Domain: www.vipcruisingclub.com
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  www.vipcruisingclub.com

  Domain: www.youronlinetraffic.store
  Type: dns
  Detail: DNS problem: SERVFAIL looking up A for
  www.youronlinetraffic.store - the domain's nameservers may be
  malfunctioning

  Domain: youronlinetraffic.store
  Type: dns
  Detail: DNS problem: query timed out looking up A for
  youronlinetraffic.store

  Domain: www.nowlaters.com
  Type: dns
  Detail: DNS problem: query timed out looking up CAA for
  www.nowlaters.com

My web server is (include version):
BIND 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 (Extended Support Version) id:7107deb
Apache/2.4.41 (codeit)

The operating system my web server runs on is (include version):
CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is:
1&1

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.9.0

Welcome to the community!

I find one commonality in those failures.
They all seem to use the same DNS servers:

nameserver = ns1.toolbelt.marketing
nameserver = ns2.toolbelt.marketing

Which is actually only one IP:

Name:    ns1.toolbelt.marketing
Address:  74.208.211.233

Name:    ns2.toolbelt.marketing
Address:  74.208.211.233

It may be that since so many requests are all going to the same DNS servers at the same time, your IPS or firewall is blocking them as they appear to be excessive.
[that is just a guess]
If that is the case, try reducing the names and using --dry-run until it succeeds.
If it does, then add names back in until all are added and then remove the --dry-run.
If it never succeeds (even with only one name), then there may be a fundamental DNS problem.

Thanks for the reply. What is strange is that I've had basically the same amount of domains on it for years and it always worked, and now all 3 servers with CentOS 7 stopped working around the same time. I will double check with 1&1 as all 3 servers are hosted with them.

I did get the following command to work, on 2nd try (1st time same command failed). If I add any more domains it is always failing (tried multiple different ones and ALWAYS failed).

certbot certonly --cert-name toolbelt.marketing --dry-run --webroot -w /var/www/wmt1648/web -d toolbelt.marketing -w /var/www/wmt1648/web -d www.toolbelt.marketing -w /var/www/wmt1648/phpmyadmin -d mysql.toolbelt.marketing -w /var/www/wmt1648/roundcube -d mail.toolbelt.marketing

My certificate expires tomorrow. Is there any alternative way to get the certificate issued or a way to have certbot send the requests slower so not sending a bunch of requests at once?

You could get a cert for one domain.
Then expand that cert with another domain.
{again}
(and again)
until the cert has all the domains.

Very tedious but that should get you one cert with all names today.
Otherwise, you might have to use individual certs until this gets resolved.

In hindsight:
You may need to group them first or do more than one at a time; as the first domain would get (re)done more than 50 times and that would trip a rate limit.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.