Some letsencrypt servers apparently have bad DNS configuration

Hello,
I've been recently having issues with creating certificates for my domain studenka-headquarters.run.place (I know, I know, free domains :/), I am using the webroot challenge and I've noticed that it works only sometimes, and there's always an error regarding dns (SERVFAIL looking up A or AAAA), although my dns works fine, checked multiple times using the dig tool. I am pretty sure that I am having the exact same issue as discussed in this issue: certbot/certbot#2580

Basically the problem is that some letsencrypt servers don't seem to correctly resolve my domains or something like that, please check the issue above.

I've always used the manual dns-01 but I wanted automatic renew, so I tried this, and the problem persists for 2 days now.

Thank you so much for any help, have a nice day

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: studenka-headquarters.run.place

I ran this command: certbot certonly --webroot -w /var/www/certbot --cert-name studenka-headquarters.run.place -d studenka-headquarters.run.place --no-autorenew --dry-run

It produced this output: DNS problem: SERVFAIL looking up A for
studenka-headquarters.run.place - the domain's nameservers may be
malfunctioning; no valid AAAA records found for
studenka-headquarters.run.place

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Debian 5.10.226-1 with Linux 5.10.0-33-amd64

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): absolutely yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

Um, no. That issue has been closed for nine years. The likelihood that it's what you're encountering is, well, very small.

Unboundtest is also returning a SERVFAIL error trying to look up your AAAA record:
https://unboundtest.com/m/AAAA/studenka-headquarters.run.place/KOMWKRJ4

....and that's going to cause issuance to fail. Your DNS servers need to respond appropriately to AAAA queries, even if that response is "no AAAA record here." Their failure to do so is what's causing this problem. IOW, it's exactly what your very old version of certbot (current is 4.0) is reporting: your domain's nameservers are malfunctioning.

Please consider updating Certbot to Certbot 4.0.0 released.

Also there are some DNSSEC Errors here studenka-headquarters.run.place | DNSViz

Here too Hardenize Report: studenka-headquarters.run.place observe all the SERVFAIL
the same error that Let's Debug see here https://letsdebug.net/studenka-headquarters.run.place/2428126

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.