Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
www.tal09.clients.merrehill.co.uk
I ran this command:
certbot certonly --apache --non-interactive --preferred-challenges http --cert-name tal09.clients.merrehill.co.uk -d tal09.clients.merrehill.co.uk,talent-finder-limited.co.uk,c.tal09.clients.merrehill.co.uk,c.talent-finder-limited.co.uk,www.tal09.clients.merrehill.co.uk,www.talent-finder-limited.co.uk
It produced this output:
During secondary validation: DNS problem: SERVFAIL looking up A for www.tal09.clients.merrehill.co.uk - the domain's nameservers may be malfunctioning; no valid AAAA records found for www.tal09.clients.merrehill.co.uk
My web server is (include version):
Apache 2.4.46
The operating system my web server runs on is (include version): Amazon Linux, version 2.
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): 1.11.0
We have been seeing intermittent errors for a number of months when getting certificates. As an example, this one above failed at 2022-07-14 12:59:47 BST, and when ran again, was successful at 2022-07-14 13:05:42 BST - basically 6 minutes later.
The failures we see always appear during the secondary validation. There are other sub-domains on the certificate request which go through ok. The log indicates that both:
c.tal09.clients.merrehill.co.uk & tal09.clients.merrehill.co.uk
had valid responses during the processing.
These domains are hosted under the wildcard A record of *.clients.merrehill.co.uk.
There are no AAAA records as the solution doesn't use ipv6.
As the issue is intermittent, it is really confusing as to why it errors.
It would be good to understand where the issue lies, be it with LetsEncrypt or our DNS provider, so I can focus attention on getting these certificates issued smoothly.
I appreciate any light the community can shed on this.
Many thanks in advance.
Andy