Cannot Obtain Certificate - No Valid AAAA Record Found

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
codex.turriff.net

I ran this command:
N/A - I am maintaining my certificate registrations using Traefik v3.1

It produced this output:
2024-07-23T05:03:26Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [codex.turriff.net]: error: one or more domains had a problem:\n[codex.turriff.net] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for codex.turriff.net; no valid AAAA records found for codex.turriff.net\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["codex.turriff.net"] providerName=le.acme routerName=codex-rtr@swarm rule=Host(codex.turriff.net)

My web server is (include version):
Traefik v3.1

The operating system my web server runs on is (include version):
Docker container running on top of Arch Linux, last updated 2024-07-21

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
3.1

This has worked for a number of other domains under turriff.net, last around the 1st of July (would have to check exact date). According to Let's Debug, there is (should be) no problem obtaining this certificate.

The DNS delegations for turriff.net aren't right; the .net nameservers think that the nameservers are at one IP but asking those nameservers give different IPs.

https://dnsviz.net/d/codex.turriff.net/servers/

You need a working domain name before you can get certificates for it.

5 Likes

I am surprised things ever worked, given what I found after this pointer. Yeah, it was the delegation. Thanks for the help.

2 Likes

Glad you figured it out. A lot of clients (web browsers, OS DNS resolvers, etc.) go way out of their way to try to work around broken domain configurations, which can make some problems tough to debug.

DNSViz is still saying that there's something wrong with how your domain is signing the response that the name doesn't have an AAAA entry, though my knowledge of DNSSEC isn't quite comprehensive enough to help interpret what it's saying.

https://dnsviz.net/d/codex.turriff.net/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=

  • NSEC3 proving non-existence of codex.turriff.net/AAAA: The salt value for an NSEC3 record should be empty. See RFC 9276, Sec. 3.1.
  • NSEC3 proving non-existence of codex.turriff.net/AAAA: An iterations count of 0 must be used in NSEC3 records to alleviate computational burdens. See RFC 9276, Sec. 3.1.

Unboundtest doesn't seem to have any problem, though.

https://unboundtest.com/m/AAAA/codex.turriff.net/43RPSC5X

*shrug*

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.