Failure to renew cert - secondary validation DNS issue

I am trying to renew a cert that has been renewing just fine all along.
I’m using version: Certify/ (Windows; Microsoft Windows NT 6.3.9600.0)
I’m using Challenge type: DNS-01
I’m using Method: Update DNS Manually

The error I get is:
Response from Certificate Authority: During secondary validation: DNS problem: server failure at resolver looking up TXT for [BadRequest :: urn:ietf:params:acme:error:dns]

If I lookup at any lookup tool, I get the correct info back from the txt record.

What I don’t know is if this secondary lookup is trying to reach the DNS server hosting the DNS Records for, or if it is trying to reach the web server directly.

I could do a little more digging if I knew where the failure is, at the DNS server for the host in question?, or at the web server, which is the actual host the cert is for?



Hi, Let’s Encrypt are in charge of their own domain validation process so we don’t have any special insight into that, but “server failure” implies that the response from one of your nameservers was SERVFAIL (e.g. your DNS server errored while trying to reply).

When using DNS validation Let’s Encrypt will first check the response from one of your DNS nameservers then check one or more other nameservers (the “secondary validation” part) for your domain depending on how many you have and what IPv4/IPv6 addresses they have etc, to make sure they all agree.

When you make your DNS change you need to allow enough time for your change to be copied to all of your nameservers before proceeding with the certificate request, usually though that’s only a few seconds or at most a minute, some hosted DNS servers have been known to take up to 5 minutes to copy changes properly.

When you select manual DNS you will be warned that it’s not considered a suitable method for production certificate renewals simply due to the fact it’s manual and therefore prone to variation and inaccuracies, use an automated DNS provider instead, if you can (there are many automated options).

There is only one DNS, so no need to wait for propogation.

I ended up moving the domain to cloudflare. I stayed with manual to limit the number of variable changes and it worked immediately.
There must be an issue with my older version of c-panel. (Did not work under Bind or PowerDNS).

Thanks. For info you had 2 nameservers set (which is normal), and and I can see you have set your domain to use cloudflare now.

Please do switch to using the automated cloudflare provider, once you have the API credentials setup and store in the app it will all work automatically.