I'm sorry, I don't understand what you're trying to say.
No, definitely not related to the target webserver. The errors are DNS queries for the A and AAAA records. The Let's Encrypt validation servers prefer IPv6 which is why it looks for AAAA. And, in some error cases will fallback to IPv4 if available.
In any case, the LE server needs to know the IP address(es) from the A / AAAA query. And since those failed it doesn't know what to contact. Mind you, this is only needed for an HTTP (or TLS-ALPN) challenge. A DNS Challenge avoids at least that lookup. Did you ever try the DNS Challenge with LE? If so, did that fail with the same Secondary SERVFAIL but just for the TXT (or maybe CAA) record instead?
A DNS SERVFAIL is peculiar and these can sometimes be very difficult to debug. I've reached the end of my DNS expertise so hopefully someone else can help with that.
I do appreciate the help @MikeMcQ - its a bit vexing when other domains on the same server worked. @Bruce5051 seemed to have noticed a difference but I didn't grasp what he was trying to explain. I blame being blonde!
2 different Top-Level Domain (TLD) do not necessarily behave the same when doing DNS searches starting with just the dot(.) down to a FQDN.
So you think there is something different I need to do for PW tld, maybe? It would make sense, but I am not sure where to start in making a change.
Note, I just wanted to add - letsencrypt has issued just fine for this domain in the past without DNS changes on my end, but, as you say, it is very possible the TLD may have changed something. I must admit I would not have even thought of that.
Yes to the maybe, but I do not know if there is a different or not between .com and .pw.
Going to research into this. The DNS record on my end (as well as protections, and the server, etc) has not changed, the dot coms work fine, and the domain authenticated fine before. So that seems promising in terms of a lead of what went wrong. I'll report back if I find anything
Yeah, definitely seems like the likely culprit, I just need to figure out what it is specifically, or at least a workaround. Its strange it worked about 3 months ago, but not now.
[edit]: Talking on some webadmin discord servers, the suggestion is to use DNS authentication. So once changes have propogated, I will see if that works.
This the reference DNS-01 challenge.
Thanks!
Heading home from the office but we'll see how this goes when I'm home.
I see two names but only one IP:
I was able to get a certificate just fine with DNS authentication. I had to fiddle a little with the cname record but it was fine. I will continue to look into why the .pw TLD had this issue, but the immediate problem is solved.
[edit] I suppose until/unless the reason is discovered and fixed or worked around, one could advise to .pw TLD holders to use DNS authentication.