DNS problem: NXDOMAIN looking up A for

The first installation of certificate ran smoothly, but when I’m trying to dry-run certificate renewal it always ends with an error:

Attempting to renew cert (img.webumenia.sk) from /etc/letsencrypt/renewal/img.webumenia.sk.conf produced an unexpected error: Failed authorization procedure. img.webumenia.sk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for img.webumenia.sk. Skipping.
The following certs could not be renewed:
 /etc/letsencrypt/live/img.webumenia.sk/fullchain.pem (failure)

Renewal of another subdomain (vampart.webumenia.sk) causes no such problem.
Thanks for your help!

Hi @chyno

you have a curious configuration ( https://check-your-website.server-daten.de/?q=img.webumenia.sk ):

Your nameserver answers with a Refused, but there is a non-authoritative IP-address.

Two nameservers doesn't support TCP, that's terrible:

Authoritative nameservers must support TCP-connections.

Checking CAA entries doesn't work:

That's critical.

But: You have a new Letsencrypt certificate, created today:

CN=img.webumenia.sk
	24.03.2019
	22.06.2019
expires in 90 days	img.webumenia.sk - 1 entry

and visible via CT-Logs:

CRT-Id	Issuer	not before	not after	Domain names	LE-Duplicate
1311084325
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-03-24 05:18:42
	2019-06-22 04:18:42
	img.webumenia.sk
	no duplicate

Result:

• You have a valid certificate, so use it the next 60 - 85 days
• Your nameservers are terrible. Perhaps it's a bad DDOS-protection. And if you try --dry-run, that hit's the DDOS-protection.

So ignore the dry-run - result.

Thank you, @JuergenAuer ! It really works with forced renewal. I’ll pass your findings to the authorities.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.