Problems domain for gubernamental use

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: ./certbot-auto --apache -d

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


My web server is (include version): httpd -version
Server version: Apache/2.4.33 (Amazon)
Server built: Jul 11 2018 22:19:58

The operating system my web server runs on is (include version): NAME=“Amazon Linux AMI”
ID_LIKE=“rhel fedora”
PRETTY_NAME=“Amazon Linux AMI 2018.03”
Amazon Linux AMI release 2018.03

My hosting provider, if applicable, is: Amazon WS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.1

1 Like

Hi @ccetina

if you want to create a certificate, CAA entries are checked.

First, then, then

But checking the last domain there is a timeout. My own output


looks incomplete.


reports a ServFail:

;; opcode: QUERY, status: SERVFAIL, id: 59245

Are you able to create a CAA entry with or

That would block checking

1 Like

Oh, there is a great misconfiguration.

Primary: acadcpr30.mcdmintic.local
Mail: hostmaster.mcdmintic.local
Serial: 119
Refresh: 900
Retry: 600
Expire: 86400
TTL: 300
num Entries: 2

A not public domain acadcpr30.mcdmintic.local as primary name server. That can’t work.

Executed one dns check manual, then with nslookup. Always the same:

D:\temp>nslookup -type=SOA
primary name server = acadcpr30.mcdmintic.local
responsible mail addr = hostmaster.mcdmintic.local
serial = 119
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 300 (5 mins)

A .local address as top level domain of the name server.

So it’s impossible to ask that name server.


rigth! It belongs to the Ministry of Government of my country and was created about 30 days ago, It belongs to the Ministry of Government of my country and was created about 30 days ago, RTVC is a government entity too, but it is necessary then to migrate my web development services from the entity to which we work in a domain that does not have to be by hierarchy under the domain

Thank you very much

1 Like

Thank you very much, as follows complete all information in next topic.

1 Like


not required.

Domain - Name server

Add there a CAA entry, then isn't checked.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.