Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for takvpsguti.duckdns.org
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: takvpsguti.duckdns.org
Type: dns
Detail: While processing CAA for takvpsguti.duckdns.org: DNS problem: query timed out looking up CAA for takvpsguti.duckdns.org
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): Ubuntu 24.04 LTS
The operating system my web server runs on is (include version):
We see these problems with DuckDNS regularly. Often just retrying later will succeed. The DuckDNS servers are not responding promptly to queries from the Let's Encrypt validation server. This is why you see the "timed out" message.
Never mind not responding properly to Let's Encrypt's queries ... they don't seem to want to talk to anybody!
Here's a little bit of bash to try to request a CAA record from each of their 9 nameservers:
for x in $(seq 1 9) ; do nsip=$(dig +short ns${x}.duckdns.org) ; echo ns${x}.duckdns.org is at $nsip ; dig +short +norec caa duckdns.org @$nsip ; done
You can replace caa duckdns.org with a www.duckdns.org to try to get their main webserver's IP address, and that works no better. One attempt just now got responses from ns2, ns4 and ns9, another run got them from 4, 7 and 8. Different machines but both in the UK.
letsdebug.net is another useful tool for getting an external perspective -- I tried that earlier and it was at least able to look up your IP, although it couldn't connect because by then you'd stopped cerbot. I'm also a big fan of zonemaster.net although like the brilliant dnsviz.net that needs a bit more knowledge of DNS to fully interpret.
Ooh, good spot. The staging environment appears to be okay though -- and that checks CAA records as well so testing against that will tell us if it's the LE issue that's the problem, or DuckDNS.
@SamiZher , could you try running cerbot again with the --test-cert flag and post the output here please? Thanks!
With certonly the better option is usually the --dry-run flag. It will use LE Staging system just the same but it won't affect any existing certs and won't retain the Staging cert.
@MikeMcQ -- thank you, I hadn't appreciated that subtle distinction between the two options until now
@SamiZher -- whatever was wrong with DuckDNS yesterday, it seems to be working better this morning. I tried those little tests again just now and got good responses from all 9 of their nameservers, so if you try requesting your certificate again, it should work now. The Let's Encrypt incident that @Bruce5051 mentioned is still open but it looks like they have that mostly sorted out now.
