Something’s changed after running flawlessly since late 2017.
I’m suspicious it’s may have something to do with DNS replication if _acme-challenge.zagz.com TXT record isn’t correct from a slave server?
Requesting a certificate for zagz.com from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :
zagz.com challenge did not pass: dns :: DNS problem: query timed out looking up A for zagz.com
DNS-based validation failed : Failed to request certificate :
zagz.com challenge did not pass: DNS problem: SERVFAIL looking up TXT for _acme-challenge.zagz.com
$ dig A zagz.com @ns1.zagz.com
; <<>> DiG 9.10.6 <<>> A zagz.com @ns1.zagz.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46174
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zagz.com. IN A
;; ANSWER SECTION:
zagz.com. 60 IN A 107.174.101.239
;; AUTHORITY SECTION:
zagz.com. 60 IN NS ns1.zagz.com.
zagz.com. 60 IN NS ns4.zagz.com.
zagz.com. 60 IN NS ns3.zagz.com.
zagz.com. 60 IN NS ns2.zagz.com.
;; ADDITIONAL SECTION:
ns1.zagz.com. 60 IN A 107.174.101.239
ns2.zagz.com. 60 IN A 165.22.165.151
ns3.zagz.com. 60 IN A 198.46.129.251
ns4.zagz.com. 60 IN A 107.172.94.45
;; Query time: 334 msec
;; SERVER: 107.174.101.239#53(107.174.101.239)
;; WHEN: Thu Aug 22 16:26:32 AEST 2019
;; MSG SIZE rcvd: 189
$ dig TXT _acme-challenge.zagz.com
; <<>> DiG 9.10.6 <<>> TXT _acme-challenge.zagz.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4787
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.zagz.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.zagz.com. 5 IN TXT “S2nPWyirMrx–JvuhXii1JM9EuvvoD-u7QOcDAjFWLI”
;; Query time: 252 msec
;; SERVER: 192.168.15.1#53(192.168.15.1)
;; WHEN: Thu Aug 22 16:28:46 AEST 2019
;; MSG SIZE rcvd: 109
grep known /var/log/virtualmin/ravioli.zagz.com_access_log
107.174.101.239 - - [21/Aug/2019:03:50:56 -0400] “GET /.well-known/acme-challenge/tblBjtLhoSV9sgAgDcnDkrXSSvew-XltlGpQUZg-b5k HTTP/1.1” 200 301 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:04:04:12 -0400] “GET /.well-known/acme-challenge/lsQuJ9uAlCiu753KWMZ7z1yUEeoPb5StHpcjRweVSzo HTTP/1.1” 200 301 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:12:38:06 -0400] “GET /.well-known/acme-challenge/nyOpxT1zSPDWU-2TeJByhHMVe5S8rJhBPE6m2WB0bXI HTTP/1.1” 200 301 “-” “Python-urllib/2.7”
grep known /var/log/virtualmin/zagz.com_access_log
107.174.101.239 - - [21/Aug/2019:09:13:07 -0400] “GET /.well-known/acme-challenge/BgbU5yy4wMjUDkK6cDrUozLJBWSbUN-TjfeV7_DfHys HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:10:18:06 -0400] “GET /.well-known/acme-challenge/02rl4WNhsAdC-3L7xcc0r9XYmyP46N6Eo6M6BVSSB5k HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:10:29:18 -0400] “GET /.well-known/acme-challenge/mqlVxiz9al_klCp4CKWHyoCRfqVpuZP70hwsxUSashU HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:11:23:09 -0400] “GET /.well-known/acme-challenge/TK_vUcZxlAQDdZxP8JCeMPv0_rxEM_x9_RBHldH9s_Q HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:12:28:05 -0400] “GET /.well-known/acme-challenge/wLX3z3ALnDzvg004Aaa8ZCy0UtJA6SgkLIdjSYyu0RM HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:13:33:09 -0400] “GET /.well-known/acme-challenge/5lDzC03JL20aZlN7ydxwezP7_vVjtoWnAeyHIQeAp_Q HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:14:38:12 -0400] “GET /.well-known/acme-challenge/Q0Co3x6tF08A0Y8e7nePNKwBw7iJwROMBgFsLAz5f0k HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:15:43:05 -0400] “GET /.well-known/acme-challenge/tbogdWxj3l5D4NmqNoyMIBWpyDDo-4ZbdVDl11Bi_ho HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:16:48:08 -0400] “GET /.well-known/acme-challenge/_NpRqw23FGg0tJuPmtZu_se0wKA6a9YSkAPZe5SeS-g HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:17:53:12 -0400] “GET /.well-known/acme-challenge/GWp8ShtTKQOJrf-UoxhIW_pFeFvLApYymELg-lEFK2Y HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:18:58:07 -0400] “GET /.well-known/acme-challenge/9jvK1GtJ9Bi7obYJn2FMquOlg6cQ-T4rwlSQJKeMCDY HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:20:03:10 -0400] “GET /.well-known/acme-challenge/U5SdlYLcY7a3xbiMXLkMJU8D97bVMgt6mZGbc9YXKaI HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:21:08:05 -0400] “GET /.well-known/acme-challenge/_DdlEEvXaE77hdrkjxRwYlnnCaVHCzP4S_tt-FD1ktk HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:22:13:04 -0400] “GET /.well-known/acme-challenge/4Fe7jWSPFXBbIHOLAEPdOP4TR_ToGPqp_NK3e9weWOs HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [21/Aug/2019:23:18:08 -0400] “GET /.well-known/acme-challenge/RB7G6vfkF_2lvK4AK6E0BI0BDlOBSbTnxRbmhFvlJkw HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [22/Aug/2019:00:23:11 -0400] “GET /.well-known/acme-challenge/S6nS7Bu8N1EJQzrWkSOfF5uD-K055GH2bxG2vQdz-kk HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [22/Aug/2019:01:28:14 -0400] “GET /.well-known/acme-challenge/peqEIIPj6BOZ5ngShkDWXqcPTHJLtIpmX-u0DEFCEP4 HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [22/Aug/2019:02:33:13 -0400] “GET /.well-known/acme-challenge/um4NOCP5_iLA8WWI2LRFIKs4AsqIIh6Nu2FfapcbCAE HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [22/Aug/2019:03:38:08 -0400] “GET /.well-known/acme-challenge/xCNeRMGuyNHYiQh1JAq9jwgV09SiYvmP3NMM5udyF4Q HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
59.167.220.74 - - [22/Aug/2019:04:06:47 -0400] “GET /.well-known/acme-challenge/ HTTP/1.1” 301 524 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”
107.174.101.239 - - [22/Aug/2019:04:43:10 -0400] “GET /.well-known/acme-challenge/WnP13ElasR15raDdqSNYuqdBbvoMAh0Orn9nKeQD3_c HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
107.174.101.239 - - [22/Aug/2019:05:48:14 -0400] “GET /.well-known/acme-challenge/-Ht74gCsLTw2PWgM_rUaq4WeZfaiE-tJPW1Ik9qxYfY HTTP/1.1” 301 573 “-” “Python-urllib/2.7”
$ dig TXT _acme-challenge.zagz.com @ns1.zagz.com
(and all the way to @ns4) works.
DNS checks at https://mxtoolbox.com all pass.
zagz.com is hosted on 107.174.101.239, which also has a separate virtual server called ravioli.zagz.com so it can apply for its own Let’s Encrypt SSL cert for non- zagz.com domains to have SSL mail.
Both Renewal and Request certificate is also now broken for ravioli.zagz.com virtual server. Other domains on this server occasionally fail to renew for a few hours but normally come good automatically.
It seems like http://zagz.com/.well-known/acme-challenge/ redirects to HTTPS in my WordPress .htaccess and somewhere else.
From ravioli.zagz.com Virtualmin > Server Configuration > SSL Certificate
Last successful renewal 06/23/2019 2:34 AM
Last failed renewal 08/22/2019 2:38 AM
Renewal failed due to Web-based validation failed : Failed to request certificate :
ravioli.zagz.com challenge did not pass: dns :: DNS problem: SERVFAIL looking up A for ravioli.zagz.com