When I try to install certbot for my site, I receive this error:
[2022-09-27 11:21:41] production.DEBUG: : Saving debug log to /var/log/letsencrypt/letsencrypt.log
[2022-09-27 11:21:42] production.DEBUG: : Plugins selected: Authenticator nginx, Installer nginx
[2022-09-27 11:21:42] production.DEBUG: : Attempting to parse the version 1.30.0 renewal configuration file found at /etc/letsencrypt/renewal/deepplus.plus.conf with version 0.40.0 of Certbot. This might not work.
[2022-09-27 11:21:42] production.DEBUG: : Obtaining a new certificate
[2022-09-27 11:21:42] production.DEBUG: : An unexpected error occurred:
: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: While processing CAA for drumheadshed.com: DNS problem: SERVFAIL looking up CAA for drumheadshed.com - the domain's nameservers may be malfunctioning
[2022-09-27 11:21:42] production.DEBUG: : Please see the logfiles in /var/log/letsencrypt for more details.
[2022-09-27 11:21:42] production.DEBUG: [✗] This task did not complete successfully on one of your servers.
When I install multiple times, sometimes it works, sometimes it does not. I want to know exact why this happens, please advise.
You have two very different problems. One is the error about parsing a 1.30 renewal config with an older certbot v0.40. This happens when you have multiple versions of certbot installed on your system. Please review the install docs for certbot for how to remove the copy that came with your oper sys.
The other problem is your DNS was returning an error code. I don't see any current problems with your DNS. Is that still happening?
Rudy had a good idea earlier. Maybe try adding a CAA record with the value:
0 issue "letsencrypt.org"
This will only allow Let's Encrypt to issue certs for your domain.
The reason this might help is because the SERVFAIL error seems to only happen with the CAA record. Your DNS servers should be responding "not found" but instead respond with the SERVFAIL. This is not allowed (by LE).
Adding a CAA record might help avoid this.
I appreciate how hard it is to deal with intermittent DNS issues. I haven't been able to recreate any problem with your DNS with any of the normal tools we use.
It's a bit of a long shot because you are not using IPv6 so don't have an AAAA record in the DNS either. So, even if this helps the CAA record you might start seeing AAAA record SERVFAILs. LE checks for one and uses it over any A record for IPv4. Still, might be helpful as diagnostic aid if nothing else.
You're correct. When I tried to add CAA record and we have the new error now. Any idea Mike?
[2022-09-29 04:10:56] production.DEBUG: out : Requesting a certificate for musicpartsdirect.com
[2022-09-29 04:10:59] production.DEBUG: out : Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
: Domain: musicpartsdirect.com
: Type: dns
: Detail: DNS problem: SERVFAIL looking up A for musicpartsdirect.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for musicpartsdirect.com - the domain's nameservers may be malfunctioning
: Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
[2022-09-29 04:11:01] production.DEBUG: out : Saving debug log to /var/log/letsencrypt/letsencrypt.log
[2022-09-29 04:11:01] production.DEBUG: out : Some challenges have failed.
[2022-09-29 04:11:01] production.DEBUG: out : Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[2022-09-29 04:11:01] production.DEBUG: out [✗] This task did not complete successfully on one of your servers.
Do you think there are a few errors with DNS from our server?
That is a new domain name and DNSviz reports many problems. First step is to resolve those. I'm signing off for night so didn't study but this is not the same issue as your other domain. Just a similar symptom