Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: mail.bestwell.com.tw
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I met a problem that certification auto renew is failed in Synology NAS DS418p. I had checked this issue with technical support of Synology, and get the failure log as below:
2021-10-28T14:52:34+08:00 bestwellmail syno-letsencrypt: Failed to do challenge for mail.bestwell.com.tw with type http-01.
2021-10-28T14:52:34+08:00 bestwellmail syno-letsencrypt: close port 80.
2021-10-28T14:52:34+08:00 bestwellmail synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[12877]: certificate.cpp:968 syno-letsencrypt failed. 109 [DNS problem: SERVFAIL looking up A for mail.bestwell.com.tw - the domain's nameservers may be malfunctioning]
2021-10-28T14:52:34+08:00 bestwellmail synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[12877]: certificate.cpp:1466 Failed to renew Let'sEncrypt certificate. [109][DNS problem: SERVFAIL looking up A for mail.bestwell.com.tw - the domain's nameservers may be malfunctioning]
Accroding to the record of log, it shows the problem is caused by DNS which is [DNS problem: SERVFAIL looking up A for mail.bestwell.com.tw - the domain's nameservers may be malfunctioning]. Therefore, I ask the DNS service provider HiNet to inspect the setting of DNS. After confirmed with HiNet, "bestwell.com.tw" uses HiNet IDC DNS hosting and the settings of HiNet BRAS are normal & correct, the related result is folowing as below:
bestwell.com.tw@S.S.S.8 (Google):
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 10.8 <<>> CAA tadditional bestwell.com.tw. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; -››HEADER<<- opcode: QUERY, status: NOERROR, id: 54817
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;bestwell.com.tw. IN CAA
AUTHORITY SECTION:
bestwell.com. tw. 1783 IN SOA ns.hinetidc.net. hostmaster.hinet.net. 1635015601 3600 1800 1209600 3600
;; Query time: 14 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Oct 27 08:57:44 2021
;; MSG SIZE rcvd: 101
bestwell.com.tw@16S.95.1.1 (HiNet (TW)):
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 10.8 <<>> CAA tadditional bestwell.com.tw. @168.95.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26551
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;bestwell.com.tw. IN CAA
;; AUTHORITY SECTION:
bestwell.com.tw. 3600 IN SOA ns.hinetidc.net. hostmaster.hinet.net. 1635015601 3600 1800 1209600 3600
;; Query time: 177 msec
;; SERVER: 168.95.1.1#53(168.95.1.1)
;; WHEN: Wed Oct 27 08:57:44 2021
;; MSG SIZE rcvd: 101
mail.bestwell.com.tw@S.S.8.S (Google):
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> CAA +additional mail.bestwell.com.tw. @8.8.8.8
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17804
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;mail.bestwell.com.tw. IN CAA
;; AUTHORITY SECTION:
bestwell.com.tw. 1800 IN SOA ns.hinetidc.net. hostmaster.hinet.net. 1635015601 3600 1800 1209600 3600
;; Query time: 184 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Oct 27 08:57:44 2021
;; MSG SIZE rcvd: 106
mail.bestwell.com.tw@16S.95.1.1 (HiNet (TW)):
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> CAA +additional mail.bestwell.com.tw. @168.95.1.1
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1550
;; flags: qr rd ra; QUERY: 1, ANSWER: O, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;mail.bestwell.com.tw. IN CAA
;; AUTHORITY SECTION:
bestwell.com.tw. 3600 IN SOA ns.hinetide.net. hostmaster.hinet.net. 1635015601 3600 1800 1209600 3600
;; Query time: 176 msec
;; SERVER: 168.95.1.1#53(168.95.1.1)
;; WHEN: Wed Oct 27 08:57:44 2021
:: MSG SIZE rcvd: 106
There has been no recent changes and no CAA records have been set at HiNet DNS server. The CAA records resolved through HiNet DNS and Google DNS are all NOERROR, and there is no SERVFAIL problem.
Since it, I still cannot renew the certification and would like to know how to fix it? Does it requires a CAA records to be set while applies the certificate?
