Cant get nonce cert (expires in 2 days )


#1

:47 AEDT 2019] url=‘https://acme-v01.api.letsencrypt.org/directory
[Mon Mar 4 11:19:47 AEDT 2019] timeout=
[Mon Mar 4 11:19:47 AEDT 2019] _WGET=‘wget -q --content-on-error ’
[Mon Mar 4 11:20:03 AEDT 2019] Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: 4
[Mon Mar 4 11:20:03 AEDT 2019] ret=‘4’
[Mon Mar 4 11:20:03 AEDT 2019] Can not init api.
[Mon Mar 4 11:20:03 AEDT 2019] Try new-authz for the 0 time.
[Mon Mar 4 11:20:03 AEDT 2019] url
[Mon Mar 4 11:20:03 AEDT 2019] payload=’{“resource”: “new-authz”, “identifier”: {“type”: “dns”, “value”: “email.wtr.com.au”}}’
[Mon Mar 4 11:20:03 AEDT 2019] RSA key
[Mon Mar 4 11:20:03 AEDT 2019] GET
[Mon Mar 4 11:20:03 AEDT 2019] url=‘https://acme-v01.api.letsencrypt.org/directory
[Mon Mar 4 11:20:03 AEDT 2019] timeout=
[Mon Mar 4 11:20:03 AEDT 2019] _WGET='wget -q --content-on-error ’
[Mon Mar 4 11:20:20 AEDT 2019] ret=‘0’
[Mon Mar 4 11:20:20 AEDT 2019] Could not get nonce, let’s try again.
[Mon Mar 4 11:20:23 AEDT 2019] GET
[Mon Mar 4 11:20:23 AEDT 2019] url=‘https://acme-v01.api.letsencrypt.org/directory
[Mon Mar 4 11:20:23 AEDT 2019] timeout=
[Mon Mar 4 11:20:23 AEDT 2019] _WGET='wget -q --content-on-error ’
[Mon Mar 4 11:20:39 AEDT 2019] ret=‘0’
[Mon Mar 4 11:20:39 AEDT 2019] Could not get nonce, let’s try again.
[Mon Mar 4 11:20:42 AEDT 2019] GET
[Mon Mar 4 11:20:42 AEDT 2019] url=‘https://acme-v01.api.letsencrypt.org/directory
[Mon Mar 4 11:20:42 AEDT 2019] timeout=
[Mon Mar 4 11:20:42 AEDT 2019] _WGET='wget -q --content-on-error ’
[Mon Mar 4 11:20:58 AEDT 2019] ret=‘0’
[Mon Mar 4 11:20:58 AEDT 2019] Could not get nonce, let’s try again.
[Mon Mar 4 11:21:01 AEDT 2019] GET
[Mon Mar 4 11:21:01 AEDT 2019] url=‘https://acme-v01.api.letsencrypt.org/directory
[Mon Mar 4 11:21:01 AEDT 2019] timeout=
[Mon Mar 4 11:21:01 AEDT 2019] _WGET='wget -q --content-on-error ’


#2

Cannot ping acme-v01.api.letsencrypt.org nor wget
wget = failed Name or service known

ping = unknown host


#3

Is the system’s DNS resolver working at all? Can it resolve, say, google.com or ntp.org?


#4

yes if i do host google.com i get :
host google.com
google.com has address 216.58.200.110
google.com has IPv6 address 2404:6800:4006:808::200e
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.


#5

host letsencrypt.org

letsencrypt.org has address 23.49.226.12

letsencrypt.org has IPv6 address 2600:1415:11:485::ce0

letsencrypt.org has IPv6 address 2600:1415:11:496::ce0

letsencrypt.org mail is handled by 10 aspmx3.googlemail.com.

letsencrypt.org mail is handled by 10 aspmx2.googlemail.com.

letsencrypt.org mail is handled by 5 alt2.aspmx.l.google.com.

letsencrypt.org mail is handled by 5 alt1.aspmx.l.google.com.

letsencrypt.org mail is handled by 1 aspmx.l.google.com.


#6

What’s the resolver? Any idea what might be wrong with it?

Does acme-v01.api.letsencrypt.org work now?

Exactly what does “dig acme-v01.api.letsencrypt.org” show?

Do these work?

dig cdn.onenote.net

dig mattnordhoff.net

dig www.npr.org

#7

dig acme-v01.api.letsencrypt.org

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> acme-v01.api.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50064
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;acme-v01.api.letsencrypt.org. IN A

;; Query time: 5007 msec
;; SERVER: private.ip.address#53(private.ip.address) internal address eg 192.168.x.x
;; WHEN: Mon Mar 04 12:44:10 AEDT 2019
;; MSG SIZE rcvd: 57

dig cdn.onenote.net

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> cdn.onenote.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56246
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;cdn.onenote.net. IN A

;; Query time: 5128 msec
;; SERVER: private.ip.address#53(private.ip.address) internal address eg 192.168.x.x
;; WHEN: Mon Mar 04 12:45:03 AEDT 2019
;; MSG SIZE rcvd: 44

dig mattnordhoff.net

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> mattnordhoff.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11645
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;mattnordhoff.net. IN A

;; Query time: 5481 msec
;; SERVER: private.ip.address#53(private.ip.address) internal address eg 192.168.x.x
;; WHEN: Mon Mar 04 12:45:38 AEDT 2019
;; MSG SIZE rcvd: 45

dig www.npr.org

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> www.npr.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7191
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.npr.org. IN A

;; Query time: 4903 msec
;; SERVER: private.ip.address#53(private.ip.address) internal address eg 192.168.x.x
;; WHEN: Mon Mar 04 12:46:01 AEDT 2019
;; MSG SIZE rcvd: 40


#8

It seems like your resolver may be unable to resolve .net domains…

(.com and .net use the same DNS infrastructure, so it might be interesting that google.com worked.)

letsencrypt.org, onenote.net and npr.org use different DNS services, but acme-v01.api.letsencrypt.org, cdn.onenote.net and www.npr.org are all CNAMEs to Akamai’s CDN.

mattnordhoff.net is on a different DNS service and doesn’t use Akamai.

cdn.onenote.net.                     2367   CNAME  cdn.onenote.net.edgekey.net.
cdn.onenote.net.edgekey.net.         444    CNAME  e1553.dspg.akamaiedge.net.
e1553.dspg.akamaiedge.net.           1      A      184.50.166.121
e1553.dspg.akamaiedge.net.           20     AAAA   2600:141b:5000:58f::611
e1553.dspg.akamaiedge.net.           20     AAAA   2600:141b:5000:59e::611

acme-v01.api.letsencrypt.org.        317    CNAME  api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net.  14718  CNAME  e14990.dscx.akamaiedge.net.
e14990.dscx.akamaiedge.net.          20     A      104.110.150.170
e14990.dscx.akamaiedge.net.          20     AAAA   2600:141b:13:289::3a8e
e14990.dscx.akamaiedge.net.          20     AAAA   2600:141b:13:29a::3a8e

www.npr.org.                         167    CNAME  www.npr.org.edgekey.net.
www.npr.org.edgekey.net.             9149   CNAME  e4437.dscf.akamaiedge.net.
e4437.dscf.akamaiedge.net.           20     A      23.204.157.90
e4437.dscf.akamaiedge.net.           20     AAAA   2600:141b:5000:596::1155
e4437.dscf.akamaiedge.net.           20     AAAA   2600:141b:5000:59c::1155

#9

Correct thank you mnordhoff was some convoluted DNS setup where failure was intermittent, thank you so much


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.