Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xtons.com
tls-sni-01 challenge for www.xtons.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/xtons.com.conf produced an unexpected error: Failed authorization procedure. www.xtons.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up A for www.xtons.com. Skipping.
The following certs are not due for renewal yet:
/etc/letsencrypt/live/xtons.com-0001/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xtons.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: www.xtons.com
Type: connection
Detail: DNS problem: query timed out looking up A for www.xtons.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My operating system is (include version):ubuntu 14.04 LTS on amazon EC2
My web server is (include version):nginx (not run)
My hosting provider, if applicable, is:amazon
I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no
When I did a dig +trace www.xtons.com, it was “hanging” on the last bit… But ultimately, it did work… Perhaps dig chose an other server…?
If I look at http://dnsviz.net/d/www.xtons.com/dnssec/ you can see a lot of warnings and errors. Some of them can be ignored (not every DNS server responds to TCP), but the fact a lot of DNS servers are not responding to UDP does shed some light on the situation: your DNS is quite troublesome at the least.
The dig query time reported is 4 seconds. That’s not “reliable, efficient DNS service”, that’s “lucky it worked at all”. Apparently Let’s Encrypt’s resolver is not always so lucky.
Issues with DNSPod have been reported on this forum more than once:
From my location in the US, it seems to me that most of their DNS servers are located in mainland China, a few in Hong Kong, and service is generally spotty.
I don’t think there are any issues specific to Let’s Encrypt.
Edit:
I don’t know if DNSPod is fast and reliable inside China, but service outside of China is clearly poor. I would suggest using a different DNS provider, or living with the fact that Let’s Encrypt will sometimes take a few tries to validate.
Edit:
While Let’s Encrypt provides no guarantees about the location of the validation servers, and they have plans to check from multiple locations, evidently they currently don’t check from China.
