Some time ago certbot renew was failed with DNS A record required, but CNAME record is present and worked earlier for long time, what happends?
After failed renew I tried to move the records to cloudflare DNS, but it does not works. I removed the local certificate and got the same error when trying to get a new one
[lex-serv@localhost nginx]$ sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.reliabletech.ru
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for www.reliabletech.ru
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: www.reliabletech.ru
Type: dns
Detail: DNS problem: SERVFAIL looking up A for www.reliabletech.ru - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.reliabletech.ru - the domain's nameservers may be malfunctioning
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
My web server is (include version):
nginx 1.20.2
The operating system my web server runs on is (include version):
fedora server 35
My hosting provider, if applicable, is:
selfhosted (my home server)
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0
The CNAME doesn't currently work, because of DNSSEC issues.
You have a DS-RR in the parent zone (.ru), but the reliabletech.ru zone (currently) hosted @ Cloudflare doesn't even appear to be signed.
It's possible that this issue appeared because you moved the zone to Cloudflare, without removing the prior DS from the .ru registry. The best thing going forward would now be to talk to your domain registrar (who has access to the .ru zone) and ask them to remove the DS record. If you want to retain DNSSEC, follow Cloudflare's instructions on how to enable DNSSEC on your new zone, but first you need to remove the old DS in any case.
lexem.ddns.is74.ru is a subdomain of my internet provider DDNS service, there no DS from my old registrar and i can't influence the internet provider DNS
The registrant needs to login to the domain registrar (regtime.ru? rf.ru?) and disable DNSSEC for that domain.
DNSSEC requires a matching configuration between the domain registry (.ru) and the DNS host (Cloudflare). Right now, your configuration doesn't match, so the domain is broken. Disabling DNSSEC and setting it up from scratch is what you need to do.
It doesn't matter too much for your users. Queries get cached by their resolver, but authoritative nameservers need to respond at least once every hour per hostname per record.
(I tried three times, one timed out)
I see this record:
reliabletech.ru. 345600 IN DS 65449 8 1 5D628058A52586FCFA95E93870D433F85B22EF59