We're encountering a timeout error from the certbot client while trying to renew one of our certificates. The domain is active and unchanged since issuing the certificate, all DNS checks show the A record is set correctly has it has been for months.
I'm almost certain that the cPanel server, which hosts your DNS zone, is blocking Let's Encrypt's validation servers.
(Your domain's nameservers are ns1.skyfyhost.com/ns2.skyfyhost.com, both of which are actually the judas.uswebhost.com WHM/cPanel server).
You need to ask your DNS host (not Linode, but the owner of judas.uswebhost.com) about this. Alternatively, move your domain to different DNS hosting. Linode has some free DNS hosting you can use.
We don't actually own the domain - we provide web hosting through Linode, and the domain owner sets their A record to our IP where we serve their website and set up their certificate. I'll reach out to them with this information - however, is this a new issue? there was no problem issuing the certificate 2 months ago with the same setup.
Firewall/blocking issues can be tricky to manage because they can be triggered by automated rules. On WHM/cPanel, there is some software called csf which is notorious for automatically blocking addresses that send too many packets, if configured a certain way. It's plausible that the Let's Encrypt validation servers DNS traffic set it (or something like it) off.
I have a valid certificate for the domain shinobiselfdefense.com on the judas.... server. Is there another way it can be verified to resolve this issue?
I have a valid certificate for the domain shinobiselfdefense.com on the judas .... server. Is there another way it can be verified to resolve this issue? CNAME update for example.
Judas is Namehero. We have let's encrypt certificates on mail. shinobiselfdefense.com and other sub domains with no issues. I deleted those certs and got new certs with no issues via let's encrypt. Would this no be via the same DNS you are saying is an issue. Namehero says DNS is not blocked.
The last Let's Encrypt certificate issued for your domain was back in May - 3 months ago.
Since then, all of the certificates for your domain have come from cPanel's certificate authority (Sectigo). You can check here: crt.sh | shinobiselfdefense.com.
I'm pretty sure that they are mistaken.
I've tested it and neither DNS (port 53) or HTTP (port 80) traffic is able to get from Let's Encrypt to judas.
Unfortunately, it doesn't matter.
In order to find out that your domain has an A record pointing to Linode, Let's Encrypt has to first query judas for that information.
Since Let's Encrypt is unable to talk to judas at all, nothing works.