I had some issues trying to get the certificates with the WWW domain not being recognized, but eventulally got the command to issue them to work. However now when I try to dry run the renewal I get error either with the WWW domain or both.
My domain is: advocatesays.click and www.advocatesays.click
I ran this command: certbot renew --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/advocatesays.click.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for advocatesays.click and www.advocatesays.click
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: www.advocatesays.click
Type: dns
Detail: During secondary validation: DNS problem: SERVFAIL looking up CAA for advocatesays.click - the domain's nameservers may be malfunctioning
Domain: advocatesays.click
Type: dns
Detail: During secondary validation: DNS problem: SERVFAIL looking up CAA for advocatesays.click - the domain's nameservers may be malfunctioning
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Failed to renew certificate advocatesays.click with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/advocatesays.click/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 20.04.3 LTS
My hosting provider, if applicable, is: DigitalOcean
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
It looks like your authoritative DNS is not playing nice. You should set a CAA record, and it's either a transient issue, or you should ask njalla support.
peppe@monolite:~$ for ns in $(dig +short ns advocatesays.click); do dig @$ns caa advocatesays.click; done
; <<>> DiG 9.16.1-Ubuntu <<>> @2-can.njalla.in. caa advocatesays.click
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50049
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e4f2a9fa9f50d6541dd1dded61f905e307aa38df6a596942 (good)
;; QUESTION SECTION:
;advocatesays.click. IN CAA
;; AUTHORITY SECTION:
advocatesays.click. 10800 IN SOA 1-you.njalla.no. you.can-get-no.info. 2201311158 21600 7200 1814400 86400
;; Query time: 38 msec
;; SERVER: 185.193.124.34#53(185.193.124.34)
;; WHEN: Tue Feb 01 11:05:22 CET 2022
;; MSG SIZE rcvd: 145
; <<>> DiG 9.16.1-Ubuntu <<>> @3-get.njalla.fo. caa advocatesays.click
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51701
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 35fcefc095622b578f7d6f6761f905e3b88f8092c417df90 (good)
;; QUESTION SECTION:
;advocatesays.click. IN CAA
;; AUTHORITY SECTION:
advocatesays.click. 10800 IN SOA 1-you.njalla.no. you.can-get-no.info. 2201311158 21600 7200 1814400 86400
;; Query time: 78 msec
;; SERVER: 95.215.19.5#53(95.215.19.5)
;; WHEN: Tue Feb 01 11:05:22 CET 2022
;; MSG SIZE rcvd: 145
; <<>> DiG 9.16.1-Ubuntu <<>> @1-you.njalla.no. caa advocatesays.click
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55239
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4f6c15b613a8c1e27f028ea361f905e3c462bc3ad9d0a014 (good)
;; QUESTION SECTION:
;advocatesays.click. IN CAA
;; AUTHORITY SECTION:
advocatesays.click. 10800 IN SOA 1-you.njalla.no. you.can-get-no.info. 2201311158 21600 7200 1814400 86400
;; Query time: 38 msec
;; SERVER: 185.193.124.2#53(185.193.124.2)
;; WHEN: Tue Feb 01 11:05:22 CET 2022
;; MSG SIZE rcvd: 145
peppe@monolite:~$
Ok, following the guide you linked the first step that I must do when encountering SERVFAIL is run my domain names through https://dnsviz.net/. I seem to be getting warnings about DNSSEC specification prohibiting signing with DS records that use digest algorithm 1 (SHA-1) and that DNSSEC specification recommends not signing with DNSSEC algorithm 5 (RSASHA1). Not really sure how to follow those warnings.
Based on some examples in the article do I need to put my two domain names as Name for CAA records?
Ok, I tried putting in Type: CAA, Name: advocatesays.click and Content: "0 issue letsencrypt.org" (same as example value in that field in the UI) and I got a warning back "failed to add record". Is there some logical error with the record I am trying to add or should I contact the njalla support?
If you're not able to add the CAA record due to some error in the DNS zone editor then yes, you should consult with your DNS service provider on how to actually add the CAA record. Nothing we can help you with in that regard.
And also the fact the SERVFAILs come from secondary servers and not the primary one suggests there might be something going on with your DNS which is pretty hard to debug. I'm not sure if adding the CAA record will actually help, but doesn't hurt to try.
All those warnings @ DNSViz do suggest to me that the .click top-level domain isn't very well set up, but I don't see a clear reason for SERVFAILs at that test. But depending on from where in the world DNSViz initiates the test, this might be a false-negative. Perhaps other servers of the .click TLD or the lower name servers (uniregistry.net?) have something bad going on somewhere else in the world.
If you're not able to add the CAA record due to some error in the DNS zone editor then yes, you should consult with your DNS service provider on how to actually add the CAA record.
Well, I was asking to confirm if it was that or if what I was inputting doesn't make sense.
And also the fact the SERVFAILs come from secondary servers and not the primary one suggests there might be something going on with your DNS which is pretty hard to debug.
You mean the DNS of my host (DigitalOcean)?
All those warnings @ DNSViz do suggest to me that the .click top-level domain isn't very well set up,
This is my current setup: I have added two DNS records:
Type: A, Name: advocatesays.click, IP: (ip address)
Type: A, Name: www.advocatesays.click, IP: (same ip address)
The part about secondary servers is from the Let's Encrypt side: LE uses 4 different vantage points around the world, 1 being the "primary" and 3 others being "secondary". If the primary succeeds, but 2 out of 3 of the secondary vantage points fail, the validation in total will fail and add "secondary" in the error message to specify this specifically.
For the CAA record? Well, they didn't answer you apparently..
Ah, so you didn't ask your DNS support about the error you got when you tried to add the CAA record.
The part about secondary servers is from the Let's Encrypt side: LE uses 4 different vantage points around the world, 1 being the "primary" and 3 others being "secondary". If the primary succeeds, but 2 out of 3 of the secondary vantage points fail, the validation in total will fail and add "secondary" in the error message to specify this specifically.
So what exactly is considered "my" DNS servers which I need to look into about something going on with them? Since I do not personally maintain and public DNS servers.
For the CAA record? Well, they didn't answer you apparently..
I mean, I posted here earlier what I tried inputting as CAA record to check if it is logically sound.
Ah, so you didn't ask your DNS support about the error you got when you tried to add the CAA record.
Let's Debug also doesn't show any issues: Let's Debug
And when I try to get a certificate for your site (which will fail ultimately of course), it does not complain about CAA records, just the failed validation attempt..?
It's probably a rather hard to debug issue with something at the DNS. Doesn't necessarily have to be the DNS hosting provider, but might as well be the DNS infrastructure of the .click top level domain. Hard if not impossible to tell I think, although all those warnings at DNSViz doesn't make me feel hopeful about the .click TLD.. I hope you didn't pay too much money for your domain!