Looking for help with LE Renewal / DNS issues

I’m running into issues with renewing my Wildcart LE certs - the renewal process is failing with a notice that no nameservers could be found for the domains to be renewed. Here’s my setup:

• Domains are registered at Namecheap.com
• One domain (aiskondns.net) has Namecheap as its Nameservers, and I use Dynamic DNS to update the records for those nameservers.
• All of my other domains, such as aiskon.net and gjschaller.com, use ns1 & ns2.aiskondns.net for their nameservers.
• The Virtualmin server is a Rocky Linux VM running on a TrueNAS Host.
• I am running a FreshTomato router with the VM in the DMZ of the router, so port forwarding should not be an issue.

What I can’t figure out is why the LE process says the nameservers can’t be found. The servers can be resolved without issue, the ports are open on my Virtualmin firewall, and regular browsers seem to resolve the sites without issue from the outside world.

The only relevant change I made is I changed Rocky Linux to the Security SIG, as detailed here:

But that doesn’t mention changes to DNS. (If this is, in fact, the cause, I’d prefer to find a way to resolve it, so I can keep my VM on the Security path.)

Any clue as to why LE is having DNS issues with my setup?

Thank you for any guidance or help!

When I try to renew *.gjschaller.com, I get the following:

Checking external connectivity for gjschaller.com ..
.. errors were found, which will prevent Let's Encrypt from issuing a certificate :
DNS resolution failed : Failed to lookup gjschaller.com and www.gjschaller.com
Nameserver lookup failed : Could not find any nameservers for gjschaller.com
Failed to ping IPv6 address : Ping of fd4b:c2c4:3b9a:49fb:2a0:98ff:fe65:1493 did not response in 5 seconds

I renewed the various aiskon.net domains manually as individual certs, so the sites would be online & current.

Namecheap settings for Nameservers:

NamecheapDNS1132×748 21.3 KB

Looks like you have IPv6 AAAA records, but IPv6 is not working.

I don’t know that that’s the problem (the error doesn’t make it sound like it’s the only problem), but it’s certainly a problem. Let’s Encrypt will likely prefer the IPv6 address, if a record exists.

Digging into this further, it looks like this is a DNS propagation issue at Namecheap - I can’t resolve the domains at all using nslookup, and trying from multiple DNS servers. I’m opening a case with them.

Here’s their response:

There are no SOA records for the domains psi-13.com, newtonewell.com, judgeandsarah.com, harlockhouse.org, and gjschaller.com]

Please contact your hosting provider (the one that provided you with IP 76.117.62.249) to check the issue on their end.

The domains aiskon.net, aiskondns.net, and geoffanddiane.com are propagated correctly.

My DNS records show:

So, like most “good” issues, there was more than one thing going on here, making it confusing.

The first is that my Nameservers weren’t updated correctly - I wound up removing then re-adding the DNS feature to each host, resetting them to what they should be.

The second is that my router wasn’t configured for IPv6 correctly. I had to research and change some settings for it to go through.

Now that both are done, I’m able to renew LE Wildcard certs. Thank you for the guidance!

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.