Unable to create a certificate for a subdomain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: progresshill.com

I ran this command: sudo certbot --apache

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?


1: progresshill.com
2: www.progresshill.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.progresshill.com
Waiting for verification...
Challenge failed for domain www.progresshill.com
http-01 challenge for www.progresshill.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.progresshill.com
    Type: dns
    Detail: DNS problem: SERVFAIL looking up A for www.progresshill.com

    • the domain's nameservers may be malfunctioning

My web server is (include version): Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): CentOS Linux release 7.7.1908 (Core)

My hosting provider, if applicable, is: Digitalocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.7.0

1 Like

HI and welcome to the forum!

You seem to be missing an A record entry (or CNAME) for the www name:

Name:    progresshill.com
Address:  188.166.53.152

*** 8.8.8.8 can't find www.progresshill.com: Server failed

OR you made the entry very recently.

1 Like

There seems to be an issue with the Digital Ocean (via CloudFlare) DNS servers lately.

3/4 of the global DNS providers I tested show SERVFAIL for the www name:
[only CloudFlare returned an IP]

nslookup www.progresshill.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53
** server can't find www.progresshill.com: SERVFAIL

nslookup www.progresshill.com 4.2.2.2
Server:         4.2.2.2
Address:        4.2.2.2#53
** server can't find www.progresshill.com: SERVFAIL

nslookup www.progresshill.com 208.67.222.123
Server:         208.67.222.123
Address:        208.67.222.123#53
** server can't find www.progresshill.com: SERVFAIL

nslookup www.progresshill.com 1.0.0.1
Server:         1.0.0.1
Address:        1.0.0.1#53
Non-authoritative answer:
www.progresshill.com    canonical name = progresshill.com.
Name:   progresshill.com
Address: 188.166.53.152
1 Like

Thank you @rg305 for your help. Since am running the certbot inside DigitalOcean VPS, I assume that it should make the DNS query inside the DigitalOcean DNS server; is that correct? In which case I am wondering why it should not be able to find the CNAME record for the www.progresshill domain.
Also the response from the certbot command is that " DNS problem: SERVFAIL looking up A for www.progresshill.com" which also makes me wonder if it is only lloking for an A Record entry?

2 Likes

certbot doesn't do the DNS query.
certbot communicates with LetsEncrypt and they do the DNS query and are responsible for the message:

This seems to be an ongoing problem with DigitalOcean(via CloudFlare) DNS.
As I showed, it is NOT just LetsEncrypt that is having trouble retriving DNS records from them.

It doesn't look specifically for A record type; CNAME records are valid and are used all the time.

The problem is global DNS systems are having trouble with your DNS provider.

Thank you for the insight

2 Likes

Try these queries, one at a time, from any PC or server with an Internet connection:

nslookup www.progresshill.com 208.67.222.123
nslookup www.progresshill.com 8.8.8.8
nslookup www.progresshill.com 4.2.2.2
nslookup www.progresshill.com 1.1.1.1

The first IP is from OpenDNS
The second IP is from Google DNS
The third IP is from Level 3 DNS
The last IP is from CloudFlare DNS

1 Like

Thanks. I have tried and all of them resolved apart from 8.8.8.8 and 1.1.1.1 . May be then it is an issue of delay in propagation since I made the config yesterday. I wonder why the apex domain progresshill.com was able to propagate and not the subdomain "www". In fact 1.1.1.1 actually times out.

2 Likes

I can't be 100 certain...
But the common theme seems to be CNAME records (having this issue).
You might try changing the www to an A record like the apex.

1 Like

Thanks. I'll try that

2 Likes

Also, switch from production to testing until it passes the test (or you will hit a rate limit).
Use:
sudo certbot --apache --dry-run

[as much as you like :slight_smile:]

1 Like

One question before I go:
Are those doing separate things / serving different sites?
[Or are they in the same file and one is alias to the other]

1 Like

Oh thank you for that info. Very helpful indeed.

2 Likes

www is an alias to progresshill.com

1 Like

Ah, I got this wrong, this is not related to query flags after all. I think this is just related to DigitalOcean's DNS edge cache which has been causing all sorts of havoc (1 and 2).

if you spam the same query to ns1.digitalocean.com, you will randomly get either a good response or a rubbish referral, which will result in a SERVFAIL. :man_shrugging:.

4 Likes

@_az That seems hits the nail right on the head (from where I'm seated)!

I do notice that the apex (defined by A record) doesn't have this problem.
The www (defined via CNAME) does.

@H.K, if possible, please create another set of A & CNAME test records.
something like:

testa A 1.2.3.4
testc CNAME testa.progresshill.com.

edit: yeah repeated DNS requests will eventually produce a valid reply like once every ten tries

2 Likes

I have created two subdomains a.progresshill.com (with an A Record) and c.progresshill.com (with a C Record) and I am able to perform a successful certbot dry run on both. However I still face challenge with www

2 Likes
1 Like

I have deleted the www entry and recreated it afresh as a CNAME entry. When I run the certbot dry-run, I sometimes get a success and other times an error

]$ sudo certbot certonly --apache -d www.progresshill.com --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.progresshill.com
Waiting for verification...
Challenge failed for domain www.progresshill.com
http-01 challenge for www.progresshill.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:


$ sudo certbot certonly --apache -d www.progresshill.com --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.progresshill.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

  • The dry run was successful.
1 Like

I also notice inconsistent responses when I look up DNS:

1 Like