Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:b.lingxh.com
I ran this command:Install Let’s Encrypt via BT Panel
It produced this output:During secondary validation: DNS problem: SERVFAIL looking up A for b.lingxh.com - the domain’s nameservers may be malfunctioning
My web server is (include version):Nginx1.18.0
The operating system my web server runs on is (include version):Centos8.1.1911
My hosting provider, if applicable, is:Azure
I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):BT panel7.2.0(bt.cn)
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):Panel integration, unclear
To begin with, your nameservers do not support “0x20” (reflecting mixed-case query names in responses). More info here.
This is not usually a fatal problem, but it does mean that Let’s Encrypt’s DNS recursive resolver goes into a “0x20 fallback” mode, where it compares the response from every nameserver, to make sure that no spoofing is going on.
That brings us to the second issue: when Let’s Encrypt’s resolver is performing the fallback queries, it is hitting an internal maximum number of queries it is willing to perform in order to complete the fallback, and this results in the target domain not being successfully resolved.
I think the reason it is hitting that limit is that you effectively have 9 (or 16 according to glue records) nameservers (ns1.hwclouds-dns.com and ns1.hwclouds-dns.net each advertise multiple IPv4 addresses and an IPv6 address).
For context, here is a snippet from a similarly configured resolver:
[1592100791] libunbound[27661:0] debug: request ns1.hwclouds-dns.net. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request ns1.hwclouds-dns.com. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request lingxh.com. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request ns1.hwclouds-dns.com. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request ns1.hwclouds-dns.net. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request ns1.hwclouds-dns.net. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request ns1.hwclouds-dns.net. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request hwclouds-dns.net. has exceeded the maximum number of glue fetches 66
[1592100792] libunbound[27661:0] debug: request hwclouds-dns.com. has exceeded the maximum number of glue fetches 66
[1592100796] libunbound[27661:0] debug: request b.lingxh.com. has exceeded the maximum number of glue fetches 17 to a single delegation point
To resolve it, I think you should just find some nameservers that do support 0x20 mixed case. While the behavior of Let’s Encrypt’s resolvers in this case appears to be pretty crappy, I don’t think there’s going to be any other resolution.
Adding some context based on @_az’s answer.
Huawei updated their NS servers and changed default NS records for new domains added to their platform (I guess they also changed yours).
For some reason, they decided to use new domains instead of updating their existing servers, so you should update your domain’s NS record to ns1.huaweicloud-dns.com、ns1.huaweicloud-dns.cn ns1.huaweicloud-dns.net、ns1.huaweicloud-dns.org. I guess old NS won’t accept new features so you might be able to solve this issue by changing nameservers.
X Fatal error: Nameserver doesn't support echo capitalization. That's critical if you want to create Letsencrypt certificates. Read draft-vixie-dnsext-dns0x20-00 (2008). If a dns client asks "ExAmPlE.cOm", the name server must answer with the same name, not with "example.com". Creating Letsencrypt certificates isn't possible. Your name server provider must update the software.: ns1.huaweicloud-dns.com / 139.159.208.43