No TLS certificates could be provisioned at this time

Letsencrypt certificate expired today, now I’m facing a problem where I cannot update the certificate manually because of the expired cert.

When I run sudo ./ -v I get this: DNS isn’t configured properly for this domain: DNS resolution failed (A: All nameservers failed to answer the query IN A: Server UDP port 53 answered SERVFAIL).

Nothing has changed on this box other than the certificate expiration. Because it cannot verify the server (because of the expired certificate), I cannot get a new certificate.

Does anyone know how to get around this issue?

Do you have glue records, and can ping from the server itself?

Yes, I can ping from the box. Literally, this server has run solidly for 2 years without issue until the cert expired this morning.

I’m on Digitalocean, and my DNS runs on the MIAB box. Godaddy DNS points to ns1/ns2 for this box.

Nothing has changed, only the expired cert.

Can you manually provision one?

sudo letsencrypt and follow the on screen prompts.

Do I need to be in a specific directory? sudo letsencrypt brings back “command not found”

Running Lets Encrypt’s tool is a great way to make modifications to your box that void your warranty. :slight_smile:

Would be good to get to the root problem here. The error message is one about DNS, not about SSL certificates. So the first thing to look at is why the box can’t resolve its own hostname. Have firewall settings changed? Does running dig on the box work? Do the Status Checks on the /admin page come back all green? Is bind running? Do you have DNSSEC turned on (and if so is it properly configured at your registrar)?

Firewall settings have not changed, nothing has changed on this box, only the expired cert. Once the cert expired the following messages now appear.

Nameserver glue records are incorrect. The and nameservers must be configured at your domain name registrar as having the IP address They currently report addresses of [Not Set]/[Not Set]. It may take several hours for public DNS to update after a change.

I have my DNS pointed to the IP correctly from GoDaddy and this has not changed (perhaps GoDaddy is having an issue?) All other DNS is managed on the MIAB box.

SSL/TLS message: (expired this morning shortly after midnight) Certificate has a problem: The certificate has expired or is not yet valid. It is valid from 2017-12-20 08:02:01 to 2018-03-20 08:02:01.

Running dig

; <<>> DiG 9.9.5-3ubuntu0.17-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10221
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;		IN	A

;; Query time: 2 msec
;; WHEN: Tue Mar 20 14:46:19 CDT 2018
;; MSG SIZE  rcvd: 48

DNSSEC is turned on at GoDaddy and properly configured.

The most likely thing then is that DNSSEC is not working. The easy solution would be to turn off DNSSEC at GoDaddy (and wait for DNS caches to clear).

Can you run


and post its output?

1 Like


updated DNS:,,,,,,,,

That fixed the DNS issue running tools/dns_update

I then ran: $ sudo ./management/ and it updated the certificate just fine.

All is back to normal. Thank you for your help Josh!

Nameserver glue records are correct at registrar. [ns1/ ↦]

Domain resolves to box’s IP address. [ ↦]

Reverse DNS is set correctly at ISP. [ ↦]

The DANE TLSA record for incoming mail is correct (

Hostmaster contact address exists as a mail alias. [ ↦]

Domain’s email is directed to this domain. [ ↦ 10]

Postmaster contact address exists as a mail alias. [ ↦]

Domain is not blacklisted by

TLS (SSL) certificate is signed & valid. The certificate expires in 89 days on 06/18/18.


Of course, there’s still the question why that was necessary. That script is supposed to run each night to make sure DNSSEC records are updated.

True. But I’m a happy camper still.

Oof, sorry I keep forgetting that my box is modified. Glad it’s working though!