I am posting as @bmw advised me to report my issue that whines me every 90 days during renewal. The output is posted at https://pastebin.com/WKTJWcAX
All DNS entries are pointed to the right IPs, yet LE server reports DNS error. It has been happening for many a times in the past, and it started working all of a sudden. But not this time.
The output you’ve posted has nothing to do with the DNS entries; the Let’s Encrypt servers are able to resolve them just fine. The problem is that internationaluniversityofsweden.net and internationaluniversityofsweden.com were refusing connections from the Let’s Encrypt servers. Whether that would still be the case now, I don’t know; they respond for me:
[root@neth-backup ~]# curl internationaluniversityofsweden.net
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
[root@neth-backup ~]# curl internationaluniversityofsweden.com
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
Let’s Encrypt is resolving your DNS just fine; it just can’t connect to your server. But I am unable to reproduce any connectivity issues with the affected domain.
Is it possible that this domain is running some sort of firewall, anti-virus, or other security software that is detecting the automated requests from the Let’s Encrypt validation servers and blocking them?
I can't see that in the log you posted; all I can see is the command you ran to try to get the cert. But if you'd stopped your web server before running that command, that would explain your problem--the command you post did not invoke standalone mode, but webroot mode, which requires a running web server. Either try the same command with nginx running, or change the command to use standalone mode.
It does not seem to be the case. The servers are behind shorewall which allows 80 and 443 traffic to the relevant servers without any conditions. antivirus is not enabled for http/s transactions.
--authenticator webroot implies that you have a web server running already, that will serve files from the nominated webroot. But you stopped nginx, so that can't be the case. If you want Certbot to be the web server, then you need to use --authenticator standalone and skip the webroot optins.
# service nginx start
# /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@internationaluniversityofsweden.org --domains internationaluniversityofsweden.org --domains www.internationaluniversityofsweden.org --domains internationaluniversityofsweden.com --domains www.internationaluniversityofsweden.com --domains internationaluniversityofsweden.net --domains www.internationaluniversityofsweden.net --domains ius-siu.se --domains www.ius-siu.se --domains iunis.se --domains www.iunis.se --domains iuni.se --domains www.iuni.se --webroot-path /usr/local/ispconfig/interface/acme
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
....
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: internationaluniversityofsweden.com
Type: unauthorized
Detail: Invalid response from
http://internationaluniversityofsweden.com/.well-known/acme-challenge/SA2lJHYqqlnGH5bAyYLxVKMBndO8IdBRm0eGo0Wziv4:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
Domain: internationaluniversityofsweden.net
Type: unauthorized
Detail: Invalid response from
http://internationaluniversityofsweden.net/.well-known/acme-challenge/jYlX2KIzw4mLaRaVdfKgNKvcdmPYr3ZkRBdQdtBpIJg:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
# /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@internationaluniversityofsweden.org --domains internationaluniversityofsweden.org --domains www.internationaluniversityofsweden.org --domains internationaluniversityofsweden.com --domains www.internationaluniversityofsweden.com --domains internationaluniversityofsweden.net --domains www.internationaluniversityofsweden.net --domains ius-siu.se --domains www.ius-siu.se --domains iunis.se --domains www.iunis.se --domains iuni.se --domains www.iuni.se --webroot-path /usr/local/ispconfig/interface/acme
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for internationaluniversityofsweden.org
http-01 challenge for www.internationaluniversityofsweden.org
http-01 challenge for internationaluniversityofsweden.com
http-01 challenge for www.internationaluniversityofsweden.com
http-01 challenge for internationaluniversityofsweden.net
http-01 challenge for www.internationaluniversityofsweden.net
http-01 challenge for ius-siu.se
http-01 challenge for www.ius-siu.se
http-01 challenge for iunis.se
http-01 challenge for www.iunis.se
http-01 challenge for iuni.se
http-01 challenge for www.iuni.se
Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
Generating key (4096 bits): /etc/letsencrypt/keys/0206_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0206_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/internationaluniversityofsweden.org/fullchain.pem.
Your cert will expire on 2018-05-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Thereafter reverted back the nginx directives to the original to make it work.