Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: cdn.233.momobako.com
I ran this command:
docker run -it --rm --name certbot -v $PWD:/etc/letsencrypt certbot/certbot certonly -d cdn.233.momobako.com
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cdn.233.momobako.com
Waiting for verification...
Challenge failed for domain cdn.233.momobako.com
http-01 challenge for cdn.233.momobako.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: cdn.233.momobako.com
Type: dns
Detail: No valid IP addresses found for cdn.233.momobako.com
My web server is (include version):
temporary webserver by certbot
The operating system my web server runs on is (include version):
ubuntu 20
My hosting provider, if applicable, is:
aliyun
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
docker certbot/certbot
Yes, actually I had tried both http way and dns way over 5 times from yesterday, neither worked. The manual dns way got similar result:
Waiting for verification...
Challenge failed for domain cdn.233.momobako.com
dns-01 challenge for cdn.233.momobako.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: cdn.233.momobako.com
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for
_acme-challenge.cdn.233.momobako.com - the domain's nameservers may
be malfunctioning
This web page isn't online yet, and the temp server set up by certbot is closed, and the _acme-challenge dns record I manually added is deleted by me, but I'm sure both my PC and some dns lookup services online can read that record before. The problem is the domain cant be resolved be letsencrypt.
I think this might have something to do with Aliyun, as you suggest.
Unbound (Let's Encrypt's DNS resolver) might be tripping up on the fact that both sets of nameservers appear to be authoritative for momobako.com, but only one set signs responses for it:
$ dig +norecurse +dnssec +noall +answer @vip3.alidns.com momobako.com soa
momobako.com. 600 IN SOA vip1.alidns.com. hostmaster.hichina.com. 2019040814 3600 1200 86400 360
momobako.com. 600 IN RRSIG SOA 13 2 600 20201016085052 20201014065052 56113 momobako.com. L67OV5Yp14D58SDv5ip/kVZuP/7djAmDQCKo13A1J09/CWQuwZowTjLC AAmFnDmsq7lonCyegJqw8MFDaDlbvQ==
vs
$ dig +norecurse +dnssec +noall +answer @ns1.alidns.com momobako.com soa
momobako.com. 600 IN SOA dns27.hichina.com. hostmaster.hichina.com. 2019040814 3600 1200 86400 360
It might explain why it's an intermittent failure, because it depends on how the resolver is caching the delegations. And also why disvnz.net doesn't seem to mind - different validation behavior.
Since this isn't your domain, I don't think there's anything you can do about it. Your friend could fix the nameserver setup or disable DNSSEC on the domain entirely to make it work ...
