Renew (Dry-Run) Fails with Time-out Error

My domain is:

I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Certificate not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator nginx, Installer nginx

Simulating renewal of an existing certificate for

Performing the following challenges:

http-01 challenge for

Waiting for verification...

Challenge failed for domain

http-01 challenge for

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:


Type: dns

Detail: During secondary validation: DNS problem: query timed out looking up A for; DNS problem: query timed out looking up AAAA for

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges

Failed to renew certificate with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/ (failure)

1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Raspberry Pi OS 11 (Bullseye) 64bit, kernel 5.15.32

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 1.26.0

Further details:
I'm attempting to get nginx up and running as reverse proxy, using a Raspberry Pi 4. I've installed nginx+certbot and have created and installed a certificate. After installing nginx, and before installing the certificate, I could access both and from outside my LAN (cellphone with wi-fi off). I then installed the certificate and nginx now sends http requests to https. Everything looks hunky dory.

The installation guide I was following recommended performing a dry run of the renew process. I try that and it fails. Usually with the results pasted above, but sometimes with the message that the CAA query timed out. I can't figure out why the renew process times out getting the appropriate information from duckdns (that's how I interpret the error message). I've run my domain name through and see no errors with CAA, A, and AAAA.

Thanks in advance.

Retry at will.

(Not too much at will. Wait a few hours if it doesn't work right now.)

1 Like

Thanks. I tried a few times last night over the course of a couple of hours. Haven't tried since (sleep and work get in the way). I'll see what happens when I try this evening.


Well, waiting some hours seems to have taken care of it. Tried it this evening and no issues.

Now on to figure out a wildcard certificate for it. :slight_smile:

If you don't have an actual reason (dynamic subdomains, or you don't want your subdomains in the certificate transparency logs) don't get a wildcard.

It's harder to manage and obtain, and more dangerous if compromised.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.