ACME DNS Timeout - Manual tries get successful result

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
planetkimsmith.com

I ran this command:
certbot certonly --manual --preferred-challenges dns --cert-name planetkimsmith.com --key-type ecdsa -d planetkimsmith.com,*.planetkimsmith.com

It produced this output:
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: planetkimsmith.com
    Type: dns
    Detail: DNS problem: query timed out looking up TXT for
    _acme-challenge.planetkimsmith.com

    Domain: planetkimsmith.com
    Type: dns
    Detail: DNS problem: query timed out looking up TXT for
    _acme-challenge.planetkimsmith.com

My web server is (include version):
n/a

The operating system my web server runs on is (include version):
CEntOS 8

My hosting provider, if applicable, is:
n/a

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

From the server I type:
dig _acme-challenge.planetkimsmith.com TXT
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> @8.8.8.8 _acme-challenge.planetkimsmith.com TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42128
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.planetkimsmith.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.planetkimsmith.com. 21599 IN TXT "b0ReAlrQ5PL5hds7Qf4kvMBAX59_cMlzb-tu3N6oV9g"
_acme-challenge.planetkimsmith.com. 21599 IN TXT "sChgJMf_rGaouVAPqk4-f8OsYXmVfrQcQk2MDYCiU5c"

;; Query time: 154 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jun 27 10:01:04 CDT 2021
;; MSG SIZE rcvd: 175

I can also type:
dig -6 _acme-challenge.planetkimsmith.com TXT

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> -6 _acme-challenge.planetkimsmith.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28426
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.planetkimsmith.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.planetkimsmith.com. 21599 IN TXT "b0ReAlrQ5PL5hds7Qf4kvMBAX59_cMlzb-tu3N6oV9g"
_acme-challenge.planetkimsmith.com. 21599 IN TXT "sChgJMf_rGaouVAPqk4-f8OsYXmVfrQcQk2MDYCiU5c"

;; Query time: 113 msec
;; SERVER: ::ffff:8.8.8.8#53(::ffff:8.8.8.8)
;; WHEN: Sun Jun 27 10:03:01 CDT 2021
;; MSG SIZE rcvd: 175

1 Like

Welcome to the Let's Encrypt Community, Kenny :slightly_smiling_face:

The results from unboundtest.com might give a better picture of what's happening:

https://unboundtest.com/m/TXT/planetkimsmith.com/YXVHBXWC

2 Likes

Ok, that is a really awesome tool. I've never seen any TCP connections on port 53 on my DNS servers. I plugged the hole thinking it was unused. I enjoy being wrong. Thank you for the help and the tool!

2 Likes

Glad it worked out! :slightly_smiling_face:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.