I can generate the certificate without www but with www (CNAME) returns the error below.
I've tested the DNS with letsdebug and it's all good:
My domain is:
www.osteotech.pt and osteotech.pt
/usr/bin/certbot certonly --webroot -w /var/www/vhosts/osteotech.pt/httpdocs -d osteotech.pt -d www.osteotech.pt
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
- Domain: www.osteotech.pt*
- Type: dns*
- Detail: During secondary validation: DNS problem: SERVFAIL looking up A for www.osteotech.pt - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.osteotech.pt - the domain's nameservers may be malfunctioning*
My web server is:
Ubuntu 22.04.2 LTS
Hi @UGVkcm8, and welcome to the LE community forum
Implies the initial validation had no problem resolving the name.
That implies a geographically biased DNS related issue.
Perhaps your DNS provider has some type of defense system that is not geo friendly.
DNSViz also reports some issues:
osteotech.pt zone: The server(s) were not responsive to queries over TCP. (188.8.131.52)
pt zone: The server(s) were not responsive to queries over UDP. (2a04:6d82::1)
osteotech.pt/A: The server responded with no OPT record, rather than with RCODE FORMERR. (184.108.40.206, 220.127.116.11, UDP_-_EDNS0_4096_D_KN)
www.osteotech.pt/CNAME: The server responded with no OPT record, rather than with RCODE FORMERR. (18.104.22.168, 22.214.171.124, UDP_-_EDNS0_4096_D_KN)
Basically, you need your DNS system working first before you can get a certificate (and, you know, before users can use your site reliably as well).
You may also want to look at the ISC EDNS compliance tester:
It seems really weird to me that you'd have a DNS server that doesn't support EDNS; it ain't a new thing anymore. Just what exactly are you using for your DNS?
Thank you both for your replies.
The DNS server is working otherwise Let's Debug would fail.
Think the problem is the same as this, reported recently:
The first resolution of 'www.osteotech.pt' is done with IPv6 and it points to 'osteotech.pt' as it's a CNAME but second resolution (A Record of 'osteotech.pt') does not reply with IPv6 and certbot doesn't fallback to IPv4, it just fails.
I handled the issue that you've linked above. The problem was to do with our DNS provider. They believed their Nameservers were configured correctly.
We didn't have any problems with them in the past, then we started to get issues following a service migration they did to new nameservers (to incorporate IPv6). I reached out to the LE community to help resolve the intermittent problems. Petercooperjr also helped in that instance, pointing me to use DNSviz.net.
Once we moved our DNS records to a new DNS provider and updated our Nameservers for the domains, DNSviz then reported no issues, and everything has been working smoothly with LE since.
I'd recommend, if DNSviz is reporting a problem with resolution, that is where you focus your attention.
All the best, and I hope you are able to resolve the issue swiftly.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.