Setup:
ArchLinux
-
nginx 1.18.0
-
certbot-nginx 1.3.0
-
certbot 1.3.0
-
Hoster: netcup
-
Root access: yes
-
Webadmin panel or something: no
-
Nameservers serving multiple domains
-
All nameservers configured the same
-
All domains configured basically the same
-
All domains and their subdomains point to the same server.
-
All domains have DNSSEC configured, but insecure as I just noticed. DNSSEC keys are 2048 bit (4096 seemed like a problem according to Query timeout with DNSSEC enabled)
-
Nameservers have both IPv4 and IPv6 adresses.
-
No Firewalls of any type in front of either the webserver nor the nameservers
Some of the domains and subdomains fail renewal. For simplicity (since I think it’s the same root cause for all of them), let’s just consider the following:
lynxcore.org (works, according to https://letsdebug.net/lynxcore.org/133747)
angeliquelang.com (fails with DNS problem: query timed out looking up A for angeliquelang.com, according to )
Same error with certbot renew.
From anywhere else I checked, the DNS records seem fine and the Nameservers can be accessed.
This has been going on since Sunday, May 03 12:17 AM german time.
I’m a bit stumped, to be honest. Any ideas on how I can debug this further? Or maybe there’s something wrong on the LE end?
Certbot call:
certbot renew --agree-tos --cert-name angeliquelang.com [ 19:11 ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/angeliquelang.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for angeliquelang.com
2020/05/06 19:11:47 [notice] 390254#390254: signal process started
Waiting for verification...
Challenge failed for domain angeliquelang.com
http-01 challenge for angeliquelang.com
Cleaning up challenges
2020/05/06 19:12:23 [notice] 390304#390304: signal process started
Attempting to renew cert (angeliquelang.com) from /etc/letsencrypt/renewal/angeliquelang.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/angeliquelang.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/angeliquelang.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: angeliquelang.com
Type: dns
Detail: DNS problem: query timed out looking up A for
angeliquelang.com