`A` record lookup timeout on cert renewal

Help
1

Hello! I’m having trouble with a domain that times out on A record querying from LetsEncrypt side… and unfortunately we need to find enough information about what’s wrong to be able to help the people managing the domain (they overhauled their setup around November 30th last year).

I checked the address using:

They all find the A record.

Letsdebug however confirms the A record timeout problem I’m seeing from the real server: https://letsdebug.net/car.ms.gov.tl/95038

I also tried a dig car.ms.gov.tl from assorted providers using different DNS servers.
The only “off” thing I can see is that the domain is served by 2 Authoritativ servers that are ns1.tic.gov.tl. and ns2.tic.gov.tl. and the second of them is down/unavailable.

Full data follows!
Thank you,
Roberto

My domain is:
car.ms.gov.tl

I ran this command:
dehydrated --cron --domain car.ms.gov.tl

It produced this output:

Processing car.ms.gov.tl
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Dec 30 14:00:42 2019 GMT (Less than 30 days). Renewing!
 + Signing domains...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for car.ms.gov.tl
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for car.ms.gov.tl authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: query timed out looking up A for car.ms.gov.tl",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/2424587524/ZHwewQ",
  "token": "yXUMHI5vpCkNAuu7dU3obTcEtUn0IbidbQtq6BKPpUY"
})

My web server is (include version):
nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is:
Digital Ocean (Singapore) / DNS are managed by East Timor Government

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Dehydrated version: 0.6.5
GIT-Revision: 05eda91a2fbaed1e13c733230238fc68475c535e

1 Like
2

There is more to see:
https://dnsspy.io/scan/ms.gov.tl

2 Likes
3

Wow, they fixed the ns2 server now :slight_smile:
Still, the host is defined and I can get its A record from more or less anywhere in the world, even if the DNS setup isn’t stellar. I still can’t see why Let’s Encrypt server times out doing the same.
Unless they didn’t update their SOA serial properly after a change… let me get in touch again with them.

2 Likes
4

It wouldn’t cost much to spin up a third (cloud) DNS server outside that network.
Best of luck :slight_smile:

2 Likes
5

I’m not really sure what they did, but now it did work and I got a renewed cert.

Their old ns1.tic.gov.tl and ns2.tic.gov.tl aren’t answering a dig @ anymore so it might be they moved their domain(s) to different DNSes that I still can’t see anywhere (all queries and websites show the old ones).
We’ll see in a few hours I guess (right now the main provider in Timor is NOT resolving the name at all…)

2 Likes
6

They ended up moving the servers to a different subnet and now it works. They still have the old SOA serial too. I’d like to know what was the issue but I probably can’t get more details than this :slight_smile:

2 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.