Unable to update certificate for a few days with duckdns domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: phanosp.com

I ran this command:
certbot certonly --cert-name phanosp.com -d auto.phanosp.com,code.phanosp.com,data.phanosp.com,media.phanosp.com --debug-challenges -v --dry-run
It produced this output:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: auto.phanosp.com
Type: dns
Detail: DNS problem: SERVFAIL looking up A for auto.phanosp.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for auto.phanosp.com - the domain's nameservers may be malfunctioning

Domain: code.phanosp.com
Type: dns
Detail: DNS problem: SERVFAIL looking up A for code.phanosp.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for code.phanosp.com - the domain's nameservers may be malfunctioning

Domain: data.phanosp.com
Type: dns
Detail: DNS problem: SERVFAIL looking up A for data.phanosp.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for data.phanosp.com - the domain's nameservers may be malfunctioning

Domain: media.phanosp.com
Type: dns
Detail: DNS problem: SERVFAIL looking up A for media.phanosp.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for media.phanosp.com - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 22.04.5 LTS
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

The domains auto.phanosp.com etc are cnames on my domain phanosp.com. I have been using this setup for years with no problem. I ever updated it on last Saturday and it was working just fine. Now it is not for about 24 hours now. I already contact my dns provider and they said they have not issues on their side.

Your subdomains use a CNAME to phanos.com not phanosp.com. And phanos uses duckdns which has many config problems. It is also different than your phanosp.com config as it has both IPv4 and IPv6 defined.

auto.phanosp.com.	3600	IN	CNAME	phanos.duckdns.org.

See this dnsviz report: auto.phanosp.com | DNSViz

Below is the difference I described about IPv4/6. This is not necessarily wrong but it is unusual

nslookup phanosp.com
Address: 194.233.17.153

nslookup auto.phanosp.com
auto.phanosp.com        canonical name = phanos.duckdns.org.
Name:   phanos.duckdns.org
A    Address: 194.233.17.153
AAAA Address: 66ea:a192::66ea:a192:0:0

I am not sure I understand you correctly. I do use cname under my domain phanosp.com (not phanos.com) which points to phanos.duckdns.org which is being updated by dyndns. I only setup AAAA address today while trying to solve my problem but with no luck. This setup has been working for years. I only added a new cname yesterday and since then I can not update the certificate. Do you spot any issues?

Thanks

Yes, see the dnsviz link I provided. You will see problems too

We have seen several reports about duckdns failures recently. You should contact them. Refer them to the dnsviz report.

Also, you just got a cert with many related names a few days ago. Why did you even try getting another one so soon? The duckdns problems need to be fixed but I am curious about needing another cert now.

Thanks I see the errors in dnsviz link now :). I did not realized that the issue could have been on duckdns before. I will contact them directly and hopefully I will sort this out soon.

Hi @MikeMcQ,

I tried contacting support of duckdns but I could not do so then I tried bypassing duckdns altogether by changing the settings in my domain host. After that the update of the certificate went very smooth.

I will revert back to duckdns to avoid any issues in the future if my ISP decides to change my IP but if the problem repeats I will try to avoid them. Not really need duckdns nowadays since my IP changes very rarely.

Glad you got the cert.

There are other ddns providers. Maybe even switch DNS provider to Cloudflare and use theirs?

Will look into that. Thanks

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.