Hello.
My domain is:
My web server is (include version):
nginx version: nginx/1.12.1
The operating system my web server runs on is (include version):
CentOS Linux release 7.3.1611 (Core)
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
We've faced with very strange issue during regular certificates renewal. We would like to switch renew workflow from nginx to webroot, so /etc/letsencrypt/renewal/javagala.ru.conf has been edited accordingly. After that we tried dry-run first.
certbot renew --dry-run
It produced following error:
IMPORTANT NOTES:
- The following errors were reported by the server:Domain: javagala.ru Type: None Detail: DNS problem: SERVFAIL looking up A for javagala.ru
After several minutes of googling we found out that typical problems for such kind of issue are: DNSSEC problem (for example https://community.letsencrypt.org/t/getting-dns-problem-servfail-looking-up/41956) and DNS resolving problem.
Our system administrator assure me that we haven't DNSSEC. Please see here: http://dnsviz.net/d/javagala.ru/dnssec/.
Concerning DNS resolving we've checked that our site is available from different world points using http://ping-admin.ru/free_ping.
From certbot log we can see that letsencrypt determined IP address of our site IP correctly. Please see:
"validationRecord": [ { "url": "https://javagala.ru/.well-known/acme-challenge/XbaKSLg0e1OIefNWR0yWU2dqOGRqSQapii8fQ6GFIjY", "hostname": "javagala.ru", "port": "443", "addressesResolved": [ "95.172.133.90" ], "addressUsed": "95.172.133.90" }, { "url": "http://javagala.ru/.well-known/acme-challenge/XbaKSLg0e1OIefNWR0yWU2dqOGRqSQapii8fQ6GFIjY", "hostname": "javagala.ru", "port": "80", "addressesResolved": [ "95.172.133.90" ], "addressUsed": "95.172.133.90" } ]
More interesting is that we can see in nginx access log request and correct response :
66.133.109.36 - - [04/May/2018:14:32:17 +0700] "GET /.well-known/acme-challenge/XbaKSLg0e1OIefNWR0yWU2dqOGRqSQapii8fQ6GFIjY HTTP/1.1" 200 87 "http://javagala.ru/.well-known/acme-challenge/XbaKSLg0e1OIefNWR0yWU2dqOGRqSQapii8fQ6GFIjY" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
After that we tried regular run (in few minutes):
certbot renew
No errors were appeared. We received our certificate.
Could someone clarify what going on? Should we worry about our future renewals?