Strange DNS behavior


So, Im creating cert for mail server. DNS AAAA record is valid. Tested it on many random servers from

And debug environment show no error:

root@mail:/etc/nginx/templates# certbot certonly --staging --agree-tos --email --webroot -w /var/lib/letsencrypt/ -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/

What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2019-02-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

But production run says, that my DNS record are wrong…
The server could not resolve a domain name :: No valid IP addresses found for

Unfortunate, screen buffer of Putty lose answer from server, and now it says, that Im was to many attempts and ban me for some time.
There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently


You may already have the cert you need.
Try showing:
certbot certificates
However, does not resolve to any IP (not IPV4 nor IPv6) from some locations:

nslookup -q=ns nameserver = nameserver = internet address = internet address =

*** can’t find Non-existent domain



The domain has two nameservers:  86221  NS  86221  NS

The first one thinks exists and the second one thinks it doesn’t exist.

Their SOA records have different serial numbers – 2018111601 and 2018111605.

Additionally, both of their IPv6 addresses don’t seem to respond.


Thnx, provider mistakes, but im was sure, that configs on all dns a same “by-design”.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.