No valid A records found for domain

My domain is: myspeechplan.ch, www.myspeechplan.ch, production.myspeechplan.ch, www.production.myspeechplan.ch

I ran this command: certbot renew

It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: production.myspeechplan.ch
Type: dns
Detail: no valid A records found for production.myspeechplan.ch; no valid AAAA records found for production.myspeechplan.ch

Domain: www.production.myspeechplan.ch
Type: dns
Detail: During secondary validation: no valid A records found for www.production.myspeechplan.ch; no valid AAAA records found for www.production.myspeechplan.ch

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx/1.24.0

The operating system my web server runs on is (include version): Ubuntu 24.04.4 LTS

My hosting provider, if applicable, is: Hosteurope

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

The certificate renewal has worked the last years without any problems, since a few days the certificate for the web site (4 domains) will not be renewed automatically, the DNS records for the subdomain production.myspeechplan.ch seems to be ok, when I try to renew the certificate manually, the process fails sometimes, also for the subdomain production.myspeechplan.ch. I have also checked the output in the file letsencrypt.log, it seems the domain cannot be resolved from the letsencrypt API side. Thanks a lot for the help!

There's something weird going on with your DNS server.. I'm not fully sure if this is also what's causing the DNS errors of the validation, but:

1. see https://dnsviz.net/d/www.production.myspeechplan.ch/dnssec/: there are some errors
2. something not clearly picked up by DNSViz is that there's sometimes a bad (horizontal) referral:

dig +trace www.production.myspeechplan.ch:

myspeechplan.ch.	3600	IN	NS	242.201.148.37.host.secureserver.net.
myspeechplan.ch.	3600	IN	NS	pdns02.domaincontrol.com.
myspeechplan.ch.	900	IN	NSEC	myspeed.ch. NS RRSIG NSEC
myspeechplan.ch.	900	IN	RRSIG	NSEC 13 2 900 20260614054334 20260515053234 34571 ch. 9bf1kPqLZSr3S+2wLQClvWe9U6LsO8yvDpjDo/N4NRz2/0bWnD1LsTJo rsYVViIP1rYGLwX0aSxJxUj6c6HvfQ==
;; Received 277 bytes from 2001:620:0:ff::58#53(b.nic.ch) in 25 ms

production.myspeechplan.ch. 86400 IN	NS	pdns02.domaincontrol.com.
production.myspeechplan.ch. 86400 IN	NS	242.201.148.37.host.secureserver.net.
;; Received 147 bytes from 2603:5:22e0::32#53(pdns02.domaincontrol.com) in 17 ms

production.myspeechplan.ch. 86400 IN	NS	pdns02.domaincontrol.com.
production.myspeechplan.ch. 86400 IN	NS	242.201.148.37.host.secureserver.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 147 bytes from 2603:5:22e0::32#53(pdns02.domaincontrol.com) in 16 ms

production.myspeechplan.ch. 86400 IN	NS	pdns02.domaincontrol.com.
production.myspeechplan.ch. 86400 IN	NS	242.201.148.37.host.secureserver.net.
;; BAD (HORIZONTAL) REFERRAL
;; Received 147 bytes from 173.201.78.50#53(pdns02.domaincontrol.com) in 18 ms

www.production.myspeechplan.ch.	86400 IN CNAME	production.myspeechplan.ch.
production.myspeechplan.ch. 86400 IN	A	37.148.201.242
production.myspeechplan.ch. 86400 IN	NS	pdns02.domaincontrol.com.
production.myspeechplan.ch. 86400 IN	NS	242.201.148.37.host.secureserver.net.
;; Received 211 bytes from 37.148.201.242#53(242.201.148.37.host.secureserver.net) in 21 ms

pdns02.domaincontrol.com. refers to itself even though it's not authorative.

Maybe the DNS resolver of LE handles this differently than dig +trace?

Hi Osiris
Thanks a lot for the reply, I will check the DNS configuration with the provider...
Best regards

These are expected:

nslookup myspeechplan.ch 242.201.148.37.host.secureserver.net
Name:    myspeechplan.ch
Address:  37.148.201.242

nslookup myspeechplan.ch pdns02.domaincontrol.com
Name:    myspeechplan.ch
Address:  37.148.201.242

nslookup production.myspeechplan.ch 242.201.148.37.host.secureserver.net
Name:    production.myspeechplan.ch
Address:  37.148.201.242

This is unexpected:

nslookup production.myspeechplan.ch pdns02.domaincontrol.com
Name:    production.myspeechplan.ch
Served by:
- pdns02.domaincontrol.com
          production.myspeechplan.ch
- 242.201.148.37.host.secureserver.net
          production.myspeechplan.ch

Thanks for the feedback and for the hint, I have changed the DNS configuration, hope this solves the DNS resolution errors. We have to wait until the changes are propagated...

@myspeechplan I do not believe it has.
Using the online tool Let's Debug yields these results
https://letsdebug.net/www.production.myspeechplan.ch/2938912

image1471×575 29.1 KB

and https://letsdebug.net/production.myspeechplan.ch/2938911

image1457×518 28.4 KB

Edit

And please look here for details on DNS issues Hardenize Report: production.myspeechplan.ch and here Test result – Zonemaster

Hi Bruce
Thanks for the update, you're right, the Name Servers are not in sync as expceted, I will contact again the provider for further support...
Best regards
Mario

Thanks to all for the support and helpful links, the DNS configuration is now in sync, I was able to renew the certificate.