Error creating certificate: error: one or more domains had a problem

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: c3k.to

I ran this command: terraform apply -var-file=secrets.tfvars -var-file=redis-variables.tfvars

It produced this output: Error: error creating certificate: error: one or more domains had a problem:
│ [redis.c3k.to] time limit exceeded: last error: NS ns1.linode.com. returned SERVFAIL for _acme-challenge.redis.c3k.to.
│ [redislb.c3k.to] time limit exceeded: last error: NS ns2.linode.com. returned SERVFAIL for _acme-challenge.redislb.c3k.to.

My web server is (include version): N/A

The operating system my web server runs on is (include version): debian 10

My hosting provider, if applicable, is: not know

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A

Hi @guhanwe and welcome to the LE community forum

Those sound like a temporary internet problem.
Is it still having this same issue?

Hi rg305,

yes, I am struggling with this issue for 2 days. i have a good internet connection, i hope its not related to Internet. I have mentioned more log details below for your reference. I could not able to create certificate using terraform template and ansible template also.

Terraform Error Log :

provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:15:53 [DEBUG] lego: [redislb.c3k.to] acme: Checking DNS record propagation using [8.8.8.8:53 1.1.1.1:53 ns1.linode.com:53]: timestamp=2021-11-11T19:15:53.378+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:19:53 [DEBUG] lego: Wait for propagation [timeout: 5m0s, interval: 4m0s]: timestamp=2021-11-11T19:19:53.379+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:19:55 [DEBUG] lego: [redislb.c3k.to] acme: Waiting for DNS record propagation.: timestamp=2021-11-11T19:19:55.718+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:23:56 [DEBUG] lego: [redislb.c3k.to] acme: Waiting for DNS record propagation.: timestamp=2021-11-11T19:23:56.811+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:27:56 [DEBUG] lego: [redis.c3k.to] acme: Cleaning DNS-01 challenge: timestamp=2021-11-11T19:27:56.816+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:28:00 [DEBUG] lego: [redislb.c3k.to] acme: Cleaning DNS-01 challenge: timestamp=2021-11-11T19:28:00.307+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:28:05 [DEBUG] lego: retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/48271652280 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "0002OhExll0gaFI-0TW6aO-sOexSyIJ590hqrr8pSSN6Dxg": timestamp=2021-11-11T19:28:05.062+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:28:05 [DEBUG] lego: Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/48271652280: timestamp=2021-11-11T19:28:05.667+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:28:06 [DEBUG] lego: Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/48271652290: timestamp=2021-11-11T19:28:06.459+0530

Ansible Error :

"Failed to validate challenge for dns:redissdb.c3k.to: Status is "invalid". Challenge dns-01: Error urn:ietf:params:acme:error:dns: "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.redissdb.c3k.to - check that a DNS record exists for this domain".",
"other": {
"authorization": {
"challenges": [
{
"error": {
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.redissdb.c3k.to - check that a DNS record exists for this domain",
"status": 400,
"type": "urn:ietf:params:acme:error:dns"
},
"status": "invalid",
"token": "IvbC4-WG-9QxenFofXSKl3smDyoExFjOs_5GSw_mN1I",
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/47730084980/F8e4_g",
"validated": "2021-11-09T19:32:29Z"
}
],
"expires": "2021-11-16T19:23:46Z",
"identifier": {
"type": "dns",
"value": "redissdb.c3k.to"
},
"status": "invalid",
"uri": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/47730084980"
},
"identifier": "dns:redissdb.c3k.to"
}
}

This seems incorrect:

[I'm not 100% certain though, I don't use lego]

Have you made any changes since the last renewal?

The Internet problem I suggested would have been between LE and your DNS servers.

No, I have not made any changes. I will brief clearly below :

Terminal Error Message :

acme_certificate.certificate: Still creating... [24m20s elapsed]
acme_certificate.certificate: Still creating... [24m30s elapsed]
╷
│ Error: error creating certificate: error: one or more domains had a problem:
│ [redis.c3k.to] time limit exceeded: last error: NS ns1.linode.com. returned SERVFAIL for _acme-challenge.redis.c3k.to.
│ [redislb.c3k.to] time limit exceeded: last error: NS ns2.linode.com. returned SERVFAIL for _acme-challenge.redislb.c3k.to.
│
│
│ with acme_certificate.certificate,
│ on main.tf line 46, in resource "acme_certificate" "certificate":
│ 46: resource "acme_certificate" "certificate" {
│

Terraform Log (TF_LOG) :

provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:03:37 [DEBUG] lego: [redislb.c3k.to] acme: Preparing to solve DNS-01: timestamp=2021-11-11T19:03:37.788+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:03:40 [DEBUG] lego: [redis.c3k.to] acme: Trying to solve DNS-01: timestamp=2021-11-11T19:03:40.796+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:03:40 [DEBUG] lego: [redis.c3k.to] acme: Checking DNS record propagation using [8.8.8.8:53 1.1.1.1:53 ns1.linode.com:53]: timestamp=2021-11-11T19:03:40.798+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/11 19:07:40 [DEBUG] lego: Wait for propagation [timeout: 5m0s, interval: 4m0s]: timestamp=2021-11-11T19:07:40.803+0530

There is a 2.6.0 release dated Oct. 6, 2021.
Maybe that may help.

Ok, let me check and share you the details.
Between, what i need to do from my end to solve below issue ?

From your end...
Your process should be able to communicate with your DNS servers [and edit your DNS zone].
Your process should be able to communicate with LE.
But there is no way for your system to know if LE can see your DNS servers (more than the error messages it can provide you).

One thing forgot to ask. Why Ansible template is not working too ?

Ok, Then how to fix this issue? and Who is responsible for to fix this ? To whom i need to report?

You need to check that your process can update the TXT record first.
It seems that there are some records in there now.
Maybe the DNS zone can only hold a limited number of TXT records and simply needs to be emptied.

OR
Perhaps your DNS Service Provider (DSP) [Linode] has changed somethings and the propagation/synchronization is taking longer than expected.

See these results:

ns1.linode.com
serial  = 2021000168

ns2.linode.com
serial  = 2021000168

ns3.linode.com
serial  = 2021000169

ns4.linode.com
serial  = 2021000170

ns5.linode.com
serial  = 2021000170

Also working against you:
The domain registrar shows only ns1,ns2,ns3 [not all 5].
And those three are the ones with the lowest SOA record serial numbers.
[so their information is the furthest out of sync]

If you added all 5 DNS servers, then you would have some sort of chance of getting the right response [presuming that at least one of them does have the right response].
OR you could use ns3,ns4,ns5 [instead of ns1,ns2,ns3]; At least they seem to have newer information.

Update...
Now all five show:
serial = 2021000171

No Luck :

provider.terraform-provider-acme_v2.5.2: 2021/11/12 01:08:40 [DEBUG] lego: [redislb.c3k.to] acme: Trying to solve DNS-01: timestamp=2021-11-12T01:08:40.126+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/12 01:08:40 [DEBUG] lego: [redislb.c3k.to] acme: Checking DNS record propagation using [8.8.8.8:53 1.1.1.1:53 ns1.linode.com:53 ns2.linode.com:53 ns3.linode.com:53 ns4.linode.com:53 ns5.linode.com:53]: timestamp=2021-11-12T01:08:40.126+0530
provider.terraform-provider-acme_v2.5.2: 2021/11/12 01:12:40 [DEBUG] lego: Wait for propagation [timeout: 5m0s, interval: 4m0s]: timestamp=2021-11-12T01:12:40.128+0530

Error: error creating certificate: error: one or more domains had a problem:
│ [redis.c3k.to] time limit exceeded: last error: NS ns3.linode.com. returned SERVFAIL for _acme-challenge.redis.c3k.to.
│ [redislb.c3k.to] time limit exceeded: last error: NS ns5.linode.com. returned SERVFAIL for _acme-challenge.redislb.c3k.to.

After Upgraded to 2.6.0 getting the same error :

provider.terraform-provider-acme_v2.6.0: 2021/11/12 01:49:12 [DEBUG] lego: [redislb.c3k.to] acme: Checking DNS record propagation using [8.8.8.8:53 1.1.1.1:53 ns1.linode.com:53 ns2.linode.com:53 ns3.linode.com:53 ns4.linode.com:53 ns5.linode.com:53]: timestamp=2021-11-12T01:49:12.213+0530
provider.terraform-provider-acme_v2.6.0: 2021/11/12 01:53:12 [DEBUG] lego: Wait for propagation [timeout: 5m0s, interval: 4m0s]: timestamp=2021-11-12T01:53:12.222+0530
provider.terraform-provider-acme_v2.6.0: 2021/11/12 01:53:16 [DEBUG] lego: [redislb.c3k.to] acme: Waiting for DNS record propagation.: timestamp=2021-11-12T01:53:16.511+0530

Error: error creating certificate: error: one or more domains had a problem:
│ [redis.c3k.to] time limit exceeded: last error: NS ns2.linode.com. returned SERVFAIL for _acme-challenge.redis.c3k.to.
│ [redislb.c3k.to] time limit exceeded: last error: NS ns2.linode.com. returned SERVFAIL for _acme-challenge.redislb.c3k.to.
│

nslookup -q=txt  _acme-challenge.redis.c3k.to. ns1.linode.com
*** UnKnown can't find _acme-challenge.redis.c3k.to.: Non-existent domain

nslookup -q=txt  _acme-challenge.redis.c3k.to. ns2.linode.com
*** UnKnown can't find _acme-challenge.redis.c3k.to.: Non-existent domain

nslookup -q=txt  _acme-challenge.redis.c3k.to. ns3.linode.com
*** UnKnown can't find _acme-challenge.redis.c3k.to.: Non-existent domain

Back to my earlier suggestion:

I have ran terraform destroy to avoid the duplicate records. I have found the records when using nslookup.

sysadmin@MYLINUXVM:~$ nslookup -q=txt _acme-challenge.redis.c3k.to. ns1.linode. com
Server: ns1.linode.com
Address: 162.159.27.72#53

Non-authoritative answer:
_acme-challenge.redis.c3k.to text = "DOwfMnP8nNtXNi9hxryfJIj9tbKEWJVCQfJn_BDi 4U0"

Authoritative answers can be found from:

sysadmin@MYLINUXVM:~$ nslookup -q=txt _acme-challenge.redislb.c3k.to. ns1.linode.com
Server: ns1.linode.com
Address: 162.159.27.72#53

Non-authoritative answer:
_acme-challenge.redislb.c3k.to text = "ID-p2IDCXwwSnzdftt3OOiyJ-gOiYuFNHy1Rf_Y-VrE"

Authoritative answers can be found from:

sysadmin@MYLINUXVM:~$ nslookup -q=txt _acme-challenge.redislb.c3k.to. ns2.linode.com
Server: ns2.linode.com
Address: 162.159.24.39#53

Non-authoritative answer:
_acme-challenge.redislb.c3k.to text = "ID-p2IDCXwwSnzdftt3OOiyJ-gOiYuFNHy1Rf_Y-VrE"

Authoritative answers can be found from:

sysadmin@MYLINUXVM:~$ nslookup -q=txt _acme-challenge.redislb.c3k.to. ns3.linode.com
Server: ns3.linode.com
Address: 162.159.25.129#53

Non-authoritative answer:
_acme-challenge.redislb.c3k.to text = "ID-p2IDCXwwSnzdftt3OOiyJ-gOiYuFNHy1Rf_Y-VrE"

Authoritative answers can be found from:

LE will only check the (truly) authoritative servers.

nslookup -q=ns  c3k.to. tonic.to.
c3k.to  nameserver = ns1.linode.com
c3k.to  nameserver = ns2.linode.com
c3k.to  nameserver = ns3.linode.com

It's good to see that they do update.

Perhaps your command it trying to renews too many names at the same time?
[not too much for LE - too much for Linode]