To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version): Nginx/ 1.10.3
The operating system my web server runs on is (include version):
Ubuntu 16.4.0
My hosting provider, if applicable, is: DO
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
sudo ufw allow https
sudo ufw allow 443
sudo ufw allow proto tcp from any to any port 80,443
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently.
Please see the logfiles in /var/log/letsencrypt for more details.
First, I’d suggest adding the --dry-run flag to your certbot commands until you start being able to validate successfully. This runs against the staging server and has a separate (and much higher) rate limit for most things, including authz failures. You’ll be able to try again against production servers an hour after your first failure (the limit is 5/hour, with a sliding window.)
That error indicates that Let’s Encrypt is unable to reach your web server. Are you sure it’s publicly available? Try loading it from your phone instead of your local network, for instance. You’re correct about the first line of that being an A record, which would be for just ‘test.xyz’. You’ll want another A record for ‘www’ as well, so that ‘www.test.xyz’ also resolves. Let us know if you’re able to access this externally first and we’ll go from there.
One other thing to look at is if you are announcing IPv6 addresses (AAAA records) that your server is not able to properly respond to. That’s a really common issue.
I will warn you, if this does end up being a DNS issue, it can be really tough to diagnose those remotely without knowing the domain. I’ll also warn you that once you issue a certificate, your domain is no longer secret anyway, as it will be logged to the publicly available certificate transparency logs.