DNS issues, is this a propagation issue?

My domain is: 216.bz

I ran this command: certbot certonly --standalone -d 216.bz

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for 216.bz
Performing the following challenges:
http-01 challenge for 216.bz
Waiting for verification...

Challenge failed for domain 216.bz
http-01 challenge for 216.bz
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: 216.bz
    Type: dns
    Detail: DNS problem: SERVFAIL looking up A for 216.bz - the
    domain's nameservers may be malfunctioning; DNS problem: SERVFAIL
    looking up AAAA for 216.bz - the domain's nameservers may be
    malfunctioning

Hi @sussybusiness216, and welcome to the LE community forum :slight_smile:

You need a working HTTP site before you can secure it using HTTP-01 authentication.
The first step to anything/everything on the Internet is DNS.
Start fixing this problem there [within you DNS zone].

In case you are not DNS tech savvy...
216.bz | DNSViz
shows the A record as being "bogus".

3 Likes

A step-by-step walkthrough for the DNS impaired:

Find the authoritative DNS server for that TLD:
nslookup -q=ns bz.

Ask anyone of those DNS server where to find your domain:
nslookup 216.bz 199.254.59.1

Ask anyone of those listed DNS servers what are the authoritative DNS servers for your domain:
nslookup -q=ns 216.bz ns1.digitalocean.com

The reply must be the same set of servers as provided by the TLD authoritative server.
But in this case, they are not.
Digital Ocean returns only the SOA record:

nslookup -q=ns 216.bz ns1.digitalocean.com
Server:  UnKnown
Address:  173.245.58.51

216.bz
        primary name server = ns1.digitalocean.com
        responsible mail addr = hostmaster.216.bz
        serial  = 1674690038
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 1800 (30 mins)

In short: DO doesn't claim to be authoritative for that zone.
It defers ... back to itself - LOL

2 Likes

Weelllll, technically when using the standalone plugin, an actual HTTP site isn't required :roll_eyes:

This iswas the problem: an incorrect DS record exists in the .bz zone. OP should update the DS record in the .bz zone corresponding to the actual DNSKEY used in the 216.bz zone.

Currently, everything is looking good @ DNSViz (216.bz | DNSViz) :slight_smile:

4 Likes

Weeeeelllll, technically even when using the standalone plugin, you still need DNS.
So that (even though it's a very temporary) HTTP site can be reached [i.e. considered to be "working"],
:wink:

Glad they corrected the problem, nonetheless.

2 Likes

Sure sure, but it isn't required to e.g. install Apache or nginx :wink: Your post could possibly be interpreted like that.

3 Likes

Indeed; When I use few works... I should have used more.
And when I use lots of words... I should have used less.

2 Likes