Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version): DSM 7.2.2-72806 Update 3
My hosting provider, if applicable, is: At home, DTAG, DynIP
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes, Synology Web Station
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Using Standard Synology Cert center, Letsencrypt page
Which reports these kinds of errors near the end of its long debug output. The overall query result is SERVFAIL
Feb 20 15:40:29 unbound[17269:0] info: processQueryTargets: achtumdendicken.de. A IN
Feb 20 15:40:29 unbound[17269:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
Feb 20 15:40:29 unbound[17269:0] debug: request has exceeded the maximum number of nxdomain nameserver lookups (5) with 20
Feb 20 15:40:29 unbound[17269:0] debug: parent-side information is already present for the delegation point, no fallback possible
Feb 20 15:40:29 unbound[17269:0] debug: return error response SERVFAIL
Similar errors reported by Let's Debug: Let's Debug
I believe that Let’s Encryptonly follows DNS CNAME recordnot DNAME record nor ANAME record. Edit: I believe I have over assumed and spoken that assumption. Sorry!
I do not know if the my assume is correct or incorrect, thus please do not read into my editing one direction or the other. It is just an unknown to me.
Hopefully a knowledgeable Let's Encrypt community will clarify.
And specifically the DNS-01 challenge states " Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone. It can also be used if your DNS provider is slow to update, and you want to delegate to a quicker-updating server."
CNAMES can only be used for either subdomains or the TLD itself
and cannot point to another DNS zone.
In order to do that I only know the way to use an ALIAS.
If someone else knows another way he/she is very welcome to tell me.
I don't know for certain why Let's Debug, unboundtest, and Hardenize all report SERVFAIL errors while other query methods work.
But, it is probably related to the problem below with the Name Server DNS setup itself. You should ask your DNS provider to review the below DNSViz report. The ns2 name server has the same issue
Using the DNS-01 challenge instead of the HTTP-01 challenge would be one way. Also if your DNS Authoritative Name Servers synchronize quicker (i.e. shorter TTLs) that also should help; thus look for DNS Providers that meet your needs.
Guys, thank you for the brainstorming session and all of your answers.
I solved this in the meantime.
As assumed there was an issue with the delegation of the DNS servers at my hoster.
They moved the domain to other auth NSs and since then the certbot successfully received certificates as desired.
My CNAME and ALIAS entries were correct and working perfectly fine now.
All have a great day and thanks again for your support.
