Question
DNS Error when renewing Lets Encrypt Certbot
- Posted October 1, 2020
- ApacheLAMP StackUbuntu 20.04Let's Encrypt
Related Post, but I’ve since contacted Let’s Encrypt regrading this error.
Kindly check this thread with LetsEncrypt’s support
I’m now getting the following error after running:
sudo certbot renew
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.howdenaces.com
Type: dns
Detail: DNS problem: SERVFAIL looking up CAA for www.howdenaces.com
- the domain's nameservers may be malfunctioning
But the thing is, I’ve already added in the CAA record to allow letsencrypt.org, and my records are correct.
They’ve also informed me that there’s something odd with my NS records. I did have two extra NS records before but I’ve since deleted them over 6+ hours ago. I don’t think the DNS has been refreshed since the LetsEncrypt support informed me that there’s still something odd about the NS records.
You can try running: dig +trace www.howdenaces.com
and the following log will appear:
www.howdenaces.com. 60536 IN NS ns1.digitalocean.com.
www.howdenaces.com. 60536 IN NS ns2.digitalocean.com.
;; Received 96 bytes from 198.41.222.173#53(ns3.digitalocean.com) in 108 ms
www.howdenaces.com. 60536 IN NS ns1.digitalocean.com.
www.howdenaces.com. 60536 IN NS ns2.digitalocean.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 96 bytes from 173.245.58.51#53(ns1.digitalocean.com) in 148 ms
www.howdenaces.com. 60536 IN NS ns1.digitalocean.com.
www.howdenaces.com. 60536 IN NS ns2.digitalocean.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 96 bytes from 173.245.58.51#53(ns1.digitalocean.com) in 196 ms
www.howdenaces.com. 60535 IN NS ns1.digitalocean.com.
www.howdenaces.com. 60535 IN NS ns2.digitalocean.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 96 bytes from 2400:cb00:2049:1::adf5:3b29#53(ns2.digitalocean.com) in 196 ms
howdenaces.com. 3600 IN A 128.199.142.171
www.howdenaces.com. 43200 IN CNAME howdenaces.com.
;; Received 77 bytes from 2400:cb00:2049:1::adf5:3b29#53(ns2.digitalocean.com) in 196 ms
Can this issue be fixed immediately? Thank you.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Try DigitalOcean for free
Click below to sign up and get $100 of credit to try our products over 60 days!
please check https://certbot.eff.org/docs/using.html?highlight=revoke
Hello, @angelovillasant
Keep in mind that all DNS changes might take up to 48 hours in order to fully update. This is due to ISP DNS cache and general DNS propagating as well. This usually happens a lot faster but will still take at least few hours to fully update.
You can check the DNS records with our DNS tool: https://www.digitalocean.com/community/tools/dns.
You can also monitor the DNS propagation using this site: https://www.whatsmydns.net/
It will show you a DNS record check from various points around the world. This will help you to see if there is a DNS misconfiguration or if it’s just the DNS slowly updating.
I will recommend you to wait for an hour or two before running the renew command again:
sudo certbot renewThis is in order not to hit the renew attempt limit that LE have per hour.
Hope that this helps! Regards, Alex