DNS Issue Renewing Certificate

I have certbot installed on several servers, CentOS 6, 7 and 8. The issue only happens in CentOS 7. It just started happening about a month ago. I have tried dozens of times on multiple days in the past month and always get an issue. I have been using certbot on these servers for up to a couple of years.

I have tried everything.

  • Checked Firewall (and rechecked dozens of times) and made sure off on both 1&1's end and on server (iptables)
  • Updated everything on server
  • Uninstalled and re-installed certbot
  • Uninstalled and re-installed Bind
  • Made sure Bind didn't have fetchlimit or RRL setup (which it didn't, but I specifically setup with huge limits and 0 limits, nothing helped).

Everytime it fails it is different domains it is failing on. Sometimes it fails on ALOT of domains like in the example below, and sometimes it fails on just 3-4 domains.

My domain is:
toolbelt.marketing

I ran this command:
certbot certonly --cert-name toolbelt.marketing --webroot -w /var/www/wmt1648/web -d toolbelt.marketing -w /var/www/wmt1648/web -d www.toolbelt.marketing -w /var/www/wmt1648/phpmyadmin -d mysql.toolbelt.marketing -w /var/www/wmt1648/roundcube -d mail.toolbelt.marketing -w /var/www/wmt1656/web -d attractionmarketingpro.com -w /var/www/wmt1656/web -d www.attractionmarketingpro.com -w /var/www/wmt1662/web -d emailcashclub.com -w /var/www/wmt1662/web -d www.emailcashclub.com -w /var/www/wmt1663/web -d ourhbn.com -w /var/www/wmt1663/web -d www.ourhbn.com -w /var/www/wmt1668/web -d getleadresponse.com -w /var/www/wmt1668/web -d www.getleadresponse.com -w /var/www/wmt1671/web -d cash4commodities.net -w /var/www/wmt1671/web -d www.cash4commodities.net -w /var/www/wmt1672/web -d payhostinghere.com -w /var/www/wmt1672/web -d www.payhostinghere.com -w /var/www/wmt1700/web -d newbiesonfire.com -w /var/www/wmt1700/web -d www.newbiesonfire.com -w /var/www/wmt1702/web -d vcardlistings.com -w /var/www/wmt1702/web -d www.vcardlistings.com -w /var/www/wmt1709/web -d vipcruisingclub.com -w /var/www/wmt1709/web -d www.vipcruisingclub.com -w /var/www/wmt1409/web -d smartpaysolution.com -w /var/www/wmt1409/web -d www.smartpaysolution.com -w /var/www/wmt1667/web -d invoiceprocessingsystems.com -w /var/www/wmt1667/web -d www.invoiceprocessingsystems.com -w /var/www/wmt1710/web -d buyrpmhosting.com -w /var/www/wmt1710/web -d www.buyrpmhosting.com -w /var/www/wmt1711/web -d buyrpmlicensing.com -w /var/www/wmt1711/web -d www.buyrpmlicensing.com -w /var/www/wmt1700/web -d novatosenfuego.com -w /var/www/wmt1700/web -d www.novatosenfuego.com -w /var/www/wmt1675/web -d cambodiacamping.com -w /var/www/wmt1675/web -d www.cambodiacamping.com -w /var/www/wmt1724/web -d realestatemortgagegrants.org -w /var/www/wmt1724/web -d www.realestatemortgagegrants.org -w /var/www/wmt1722/web -d fearlessentrepreneurmovement.com -w /var/www/wmt1722/web -d www.fearlessentrepreneurmovement.com -w /var/www/wmt1501/web -d funnelsondemand.com -w /var/www/wmt1501/web -d www.funnelsondemand.com -w /var/www/wmt1743/web -d textprospector.com -w /var/www/wmt1743/web -d www.textprospector.com -w /var/www/wmt1501/web -d sms.funnelsondemand.com -w /var/www/wmt1677/web -d cultivatingdemand.com -w /var/www/wmt1677/web -d www.cultivatingdemand.com -w /var/www/wmt1748/web -d iperegistration.com -w /var/www/wmt1748/web -d www.iperegistration.com -w /var/www/wmt1749/web -d payipehosting.com -w /var/www/wmt1749/web -d www.payipehosting.com -w /var/www/wmt1750/web -d invoiceprocessingelite.com -w /var/www/wmt1750/web -d www.invoiceprocessingelite.com -w /var/www/wmt1730/web -d nowlaters.com -w /var/www/wmt1730/web -d www.nowlaters.com -w /var/www/wmt1772/web -d youronlinetraffic.store -w /var/www/wmt1772/web -d www.youronlinetraffic.store -w /var/www/wmt1644/web -d shareanumber.cash -w /var/www/wmt1644/web -d www.shareanumber.cash -w /var/www/wmt1781/web -d the3tmethod.com -w /var/www/wmt1781/web -d www.the3tmethod.com

It produced this output:
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
BIND 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 (Extended Support Version) id:7107deb
Apache/2.4.41 (codeit)

The operating system my web server runs on is (include version):
CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is:
1&1

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.9.0

1 Like

Welcome to the community!

I find one commonality in those failures.
They all seem to use the same DNS servers:

nameserver = ns1.toolbelt.marketing
nameserver = ns2.toolbelt.marketing

Which is actually only one IP:

Name:    ns1.toolbelt.marketing
Address:  74.208.211.233

Name:    ns2.toolbelt.marketing
Address:  74.208.211.233

It may be that since so many requests are all going to the same DNS servers at the same time, your IPS or firewall is blocking them as they appear to be excessive.
[that is just a guess]
If that is the case, try reducing the names and using --dry-run until it succeeds.
If it does, then add names back in until all are added and then remove the --dry-run.
If it never succeeds (even with only one name), then there may be a fundamental DNS problem.

1 Like

Thanks for the reply. What is strange is that I've had basically the same amount of domains on it for years and it always worked, and now all 3 servers with CentOS 7 stopped working around the same time. I will double check with 1&1 as all 3 servers are hosted with them.

I did get the following command to work, on 2nd try (1st time same command failed). If I add any more domains it is always failing (tried multiple different ones and ALWAYS failed).

certbot certonly --cert-name toolbelt.marketing --dry-run --webroot -w /var/www/wmt1648/web -d toolbelt.marketing -w /var/www/wmt1648/web -d www.toolbelt.marketing -w /var/www/wmt1648/phpmyadmin -d mysql.toolbelt.marketing -w /var/www/wmt1648/roundcube -d mail.toolbelt.marketing

My certificate expires tomorrow. Is there any alternative way to get the certificate issued or a way to have certbot send the requests slower so not sending a bunch of requests at once?

1 Like

You could get a cert for one domain.
Then expand that cert with another domain.
{again}
(and again)
until the cert has all the domains.

Very tedious but that should get you one cert with all names today.
Otherwise, you might have to use individual certs until this gets resolved.

1 Like

In hindsight:
You may need to group them first or do more than one at a time; as the first domain would get (re)done more than 50 times and that would trip a rate limit.

1 Like