Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Configuring virtual dev server - Apache question Question Question
How do I correct a "connection timed out" error during http-01 challenge propagation with Cert-Manager? Question Question

Question

DNS Error when renewing Lets Encrypt Certbot

Posted October 1, 2020 669 views
ApacheLAMP StackLet's EncryptUbuntu 20.04

Related Post, but I’ve since contacted Let’s Encrypt regrading this error.

Kindly check this thread with LetsEncrypt’s support

I’m now getting the following error after running:
sudo certbot renew

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.howdenaces.com
   Type:   dns
   Detail: DNS problem: SERVFAIL looking up CAA for www.howdenaces.com
   - the domain's nameservers may be malfunctioning

But the thing is, I’ve already added in the CAA record to allow letsencrypt.org, and my records are correct.

They’ve also informed me that there’s something odd with my NS records. I did have two extra NS records before but I’ve since deleted them over 6+ hours ago. I don’t think the DNS has been refreshed since the LetsEncrypt support informed me that there’s still something odd about the NS records.

You can try running: dig +trace www.howdenaces.com

and the following log will appear:

www.howdenaces.com.     60536   IN      NS      ns1.digitalocean.com.
www.howdenaces.com.     60536   IN      NS      ns2.digitalocean.com.
;; Received 96 bytes from 198.41.222.173#53(ns3.digitalocean.com) in 108 ms

www.howdenaces.com.     60536   IN      NS      ns1.digitalocean.com.
www.howdenaces.com.     60536   IN      NS      ns2.digitalocean.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 96 bytes from 173.245.58.51#53(ns1.digitalocean.com) in 148 ms

www.howdenaces.com.     60536   IN      NS      ns1.digitalocean.com.
www.howdenaces.com.     60536   IN      NS      ns2.digitalocean.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 96 bytes from 173.245.58.51#53(ns1.digitalocean.com) in 196 ms

www.howdenaces.com.     60535   IN      NS      ns1.digitalocean.com.
www.howdenaces.com.     60535   IN      NS      ns2.digitalocean.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 96 bytes from 2400:cb00:2049:1::adf5:3b29#53(ns2.digitalocean.com) in 196 ms

howdenaces.com.         3600    IN      A       128.199.142.171
www.howdenaces.com.     43200   IN      CNAME   howdenaces.com.
;; Received 77 bytes from 2400:cb00:2049:1::adf5:3b29#53(ns2.digitalocean.com) in 196 ms

Can this issue be fixed immediately? Thank you.

Add a comment
angelovillasant
By:
angelovillasant

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Configuring virtual dev server - Apache question Question Question
How do I correct a "connection timed out" error during http-01 challenge propagation with Cert-Manager? Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers
alexdo October 1, 2020

Hello, @angelovillasant

Keep in mind that all DNS changes might take up to 48 hours in order to fully update. This is due to ISP DNS cache and general DNS propagating as well. This usually happens a lot faster but will still take at least few hours to fully update.

You can check the DNS records with our DNS tool: https://www.digitalocean.com/community/tools/dns.

You can also monitor the DNS propagation using this site: https://www.whatsmydns.net/

It will show you a DNS record check from various points around the world. This will help you to see if there is a DNS misconfiguration or if it’s just the DNS slowly updating.

I will recommend you to wait for an hour or two before running the renew command again:

sudo certbot renew

This is in order not to hit the renew attempt limit that LE have per hour.

Hope that this helps!
Regards,
Alex

Reply Report
marks567217 October 1, 2020
Reply Report

Related

Looking for something else?

Ask a new question Search for more help