Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:app-dev.sec.usace.army.mil

I ran this command:certbot --apache

It produced this output:Waiting for verification...
Challenge failed for domain app-dev.sec.usace.army.mil
http-01 challenge for app-dev.sec.usace.army.mil
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: app-dev.sec.usace.army.mil
  Type: dns
  Detail: DNS problem: SERVFAIL looking up CAA for sec.usace.army.mil

  • the domain's nameservers may be malfunctioning

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): redhat 7

My hosting provider, if applicable, is:aws

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.7.0

this was all working for the last few months now its hosed. uninstalled /removed all files /reinstalled
dns is fine nslookup app-dev.sec.usace.army.mil
Server: 172.31.0.2
Address: 172.31.0.2#53

Non-authoritative answer:
app-dev.sec.usace.army.mil canonical name = ec2-3-213-47-79.compute-1.amazonaws.com.
Name: ec2-3-213-47-79.compute-1.amazonaws.com
Address: 172.31.57.144
not sure how I hosed it..have other servers that work fine ..just renewed another .sec domain server this week

now I get the rate limit error..sigh

Hi @timr1

checking your domain via https://check-your-website.server-daten.de/?q=sec.usace.army.mil there are a lot of name server errors:

Server failures:

Name servers without TCP support - that's fatal, every authoritative name server must support tcp connections.

And

13. CAA - Entries

Server failures checking CAA entries.

If possible, create a CAA entry with your complete domain name. Then the parent checks are skipped.

Same result with unboundtest - https://unboundtest.com/m/CAA/sec.usace.army.mil/4FG2ABGF

I get a different IP:

Name:    ec2-3-213-47-79.compute-1.amazonaws.com
Address:  3.213.47.79
Aliases:  app-dev.sec.usace.army.mil

The IP you show is internal to only AWS.

I am able to reach the Internet IP via port 80.

But there may be some underlying DNS issues with that FQDN.
see: https://dnsviz.net/d/app-dev.sec.usace.army.mil/dnssec/

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

I show external dns working fine [treardon@lidar ~]$ nslookup app-dev.sec.usace.army.mil
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
app-dev.sec.usace.army.mil canonical name = ec2-3-213-47-79.compute-1.amazo naws.com.
Name: ec2-3-213-47-79.compute-1.amazonaws.com
Address: 3.213.47.79
& its public right now

You need to test with the staging system (before using the production system).

The (little) good news, so far: There seems to be no CAA blocking issues

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

the ip# is correct 3.213.47.79 (the other listed is the private aws ip#)
its up here http://3.213.47.79/
just renewed another .sec.usace.army.mil this week

http://3.213.47.79/ is up others are up with the domain .sec.usace.army.mil
right now I get the rate error ..so Ill wait till tha clears

@griffin, please help me here.
I want to say: Please try: certbot --apache --dry-run
But that is not an allowed combination or elements (it creates havoc) - LOL

Maybe try this until we hear from "the expert":
certbot certonly -a apache --dry-run

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Test

sudo certbot certonly --cert-name app-dev.sec.usace.army.mil --apache --dry-run

You most likely won't get a rate limit error when testing.

Live

sudo certbot run --cert-name app-dev.sec.usace.army.mil --apache --keep-until-expiring

This has been really common lately.

@lestaff

.mil subdomain (app-dev.sec.usace.army.mil) running into CAA and general nameserver errors. Any thoughts here?

Yes, we've seen this a number of times before with certain .mil domains and their subdomains, including army.mil. I second @JuergenAuer's suggestion above:

But even with that workaround in place, the DNSSEC chain will need to validate properly and the authoritative nameservers will need to support EDNS, or there will still be SERVFAILs:

I'm afraid things are not going to work reliably without standards-compliant authoritative DNS.

Thanks for the prompt response, James. Always highly appreciated.

I think you should try changing the CNAME to an A record and see if that helps.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Absolutely, @rg305. Makes sense to me.

it has to be a CNAME cause its an aws ec2 alias to it

for now I got the orig letsencrypt certs back in place with an exp of 11/10/20
it was issued 8/12/20...so there never was a dns issue...for now its ok again.
had been renewing fine for a year or so..will try again monday..thanks for all the input

I do understand that.
My recommendation was simply to try it as an A record - just to see if that helped obtain the cert.
Not to switch it permanently to an A record.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Certainly worth trying.

This needs a fix before that cert expires... Nov 10th is not that far away.
It's just not anything I can control

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Story of my life, brother.