My certificate just got expired. and I want to renew it or make a new one for my website.
My first certificate was 3 month ago I forgot how I did manage to get that , so I try use Certbot to renew it .
As you see I don’t speak English very well. so , if threr are something miss please remaind me.
I use certbot renew --dry-run to renew my certificate. and then it throw an error. Failed authorization procedure. cal.lxserv.cn (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for cal.lxserv.cn, www.lxserv.cn (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for www.lxserv.cn
I try do the reading , but my English is just not good enough to make me understand every thing. but I think it may be some DNS problem. so I did this
dig @8.8.8.8www.lxserv.cn
but it seems to be normal. it returns like this
`; <<>> DiG 9.9.5-3ubuntu0.14-Ubuntu <<>> @8.8.8.8www.lxserv.cn
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1845
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.lxserv.cn. IN A
;; ANSWER SECTION: www.lxserv.cn. 59 IN A 175.111.124.94
I don’t know how to slove this, if it was a DNS problem , why at the first time I get the certification successfully . and why I getting this error by now.
if needed I’m using Oray.com’s ddns.
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for cal.lxserv.cn
tls-sni-01 challenge for www.lxserv.cn
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from ‘char *’ to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/cal.lxserv.cn.conf produced an unexpected error: Failed authorization procedure. www.lxserv.cn (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for www.lxserv.cn. Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cal.lxserv.cn/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My operating system is (include version):Ubuntu Server 14.04.5 LTS
My web server is (include version):Apache2 2.4.7
My hosting provider, if applicable, is: I host the Server at home, Internet provider is J:COM cable Internet (Japan)
I can login to a root shell on my machine (yes or no, or I don’t know):Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No
It seems a bit odd. While it is broken, i hit up a couple Unbound resolvers, and it either works or returns NXDOMAIN (due to the malfunctioning authoritative servers).
Let's Encrypt must be failing due to configuration or version differences, or an unrelated issue.
Edit: @laoxiaoms, regardless of why Let's Encrypt is failing, you should use a DNS provider that works right. This one may encounter issues with any DNS resolver.
I didn’t use a internet that provide a static IP address. so I am using a DynDNS service to make my domain work. and DynDNS service provider does not allow me to change DNS server(Once DynDNS is switch to ON then the everything of my domain simply turn to managed by the DynDNS provider).
my NynDNS provider is www.oray.com(Chinese)
What should I do ?
