Certbot renew failed: DNS problem

tiagommferreira · November 22, 2019, 5:01pm

My domain is: tferreira.tk (and subdomain civil.tferreira.tk)

I ran this command: certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/civil.tferreira.tk.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for civil.tferreira.tk
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (civil.tferreira.tk) from /etc/letsencrypt/renewal/civil.tferreira.tk.conf produced an unexpected error: Failed authorization procedure. civil.tferreira.tk (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up CAA for tk. Skipping.

Processing /etc/letsencrypt/renewal/tferreira.tk.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for tferreira.tk
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (tferreira.tk) from /etc/letsencrypt/renewal/tferreira.tk.conf produced an unexpected error: Failed authorization procedure. tferreira.tk (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up CAA for tk. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/civil.tferreira.tk/fullchain.pem (failure)
/etc/letsencrypt/live/tferreira.tk/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/civil.tferreira.tk/fullchain.pem (failure)
/etc/letsencrypt/live/tferreira.tk/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: civil.tferreira.tk
Type: None
Detail: DNS problem: query timed out looking up CAA for tk

The following errors were reported by the server:

Domain: tferreira.tk
Type: None
Detail: DNS problem: query timed out looking up CAA for tk

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Additional information: Performing a dig to get the CAA records works fine

; <<>> DiG 9.10.6 <<>> tferreira.tk caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49392
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tferreira.tk. IN CAA

;; AUTHORITY SECTION:
tferreira.tk. 1008 IN SOA roan.ns.cloudflare.com. dns.cloudflare.com. 2032610764 10000 2400 604800 3600

;; Query time: 11 msec
;; SERVER: 10.39.10.1#53(10.39.10.1)
;; WHEN: Fri Nov 22 17:00:54 WET 2019
;; MSG SIZE rcvd: 103

JuergenAuer · November 22, 2019, 5:27pm

Hi @tiagommferreira

that's simple: The tk zone is terrible. Checking your domain - https://check-your-website.server-daten.de/?q=tferreira.tk - a lot of red marked name servers.

The tk zone isn't signed, no DNSSEC support. Most top level domain zones are signed (newer TLD zones - DNSSEC is required).

Name servers with timeout, no TCP-support.

X	Fatal error: Nameserver doesn't support TCP connection: a.ns.tk / 2001:678:50::1: Timeout
X	Fatal error: Nameserver doesn't support TCP connection: b.ns.tk / 194.0.39.1: Fatal error (0)
X	Fatal error: Nameserver doesn't support TCP connection: b.ns.tk / 2001:678:54::1: Timeout
X	Fatal error: Nameserver doesn't support TCP connection: c.ns.tk / 194.0.40.1: Fatal error (0)
X	Fatal error: Nameserver doesn't support TCP connection: c.ns.tk / 2001:678:58::1: Timeout
X	Fatal error: Nameserver doesn't support TCP connection: d.ns.tk / 194.0.41.1: Fatal error (0)
X	Fatal error: Nameserver doesn't support TCP connection: d.ns.tk / 2001:678:5c::1: Timeout
A	Info: Nameserver mit different domain names found. May be a problem with DNS-Updates
X	Nameserver Timeout checking Echo Capitalization: a.ns.tk / 2001:678:50::1
X	Nameserver Timeout checking Echo Capitalization: b.ns.tk / 2001:678:54::1
X	Nameserver Timeout checking Echo Capitalization: c.ns.tk / 2001:678:58::1
X	Nameserver Timeout checking Echo Capitalization: d.ns.tk / 194.0.41.1
X	Nameserver Timeout checking Echo Capitalization: d.ns.tk / 2001:678:5c::1
X	Nameserver Timeout checking EDNS512: a.ns.tk / 2001:678:50::1
X	Nameserver Timeout checking EDNS512: b.ns.tk / 2001:678:54::1
X	Nameserver Timeout checking EDNS512: c.ns.tk / 2001:678:58::1
X	Nameserver Timeout checking EDNS512: d.ns.tk / 2001:678:5c::1

Rechecked with unboundtest - the same - https://unboundtest.com/m/CAA/tk/ZGPZTRVA

Query results for CAA tk
----- Unbound logs -----
Nov 22 17:19:56 unbound[7881:0] notice: init module 0: validator
Nov 22 17:19:56 unbound[7881:0] notice: init module 1: iterator
Nov 22 17:19:56 unbound[7881:0] info: start of service (unbound 1.9.3).
Nov 22 17:19:57 unbound[7881:0] info: 127.0.0.1 tk. CAA IN
Nov 22 17:19:57 unbound[7881:0] info: resolving tk. CAA IN
Nov 22 17:19:57 unbound[7881:0] info: priming . IN NS
Nov 22 17:19:57 unbound[7881:0] info: response for . NS IN
Nov 22 17:19:57 unbound[7881:0] info: reply from <.> 2001:dc3::35#53
Nov 22 17:19:57 unbound[7881:0] info: query response was ANSWER
Nov 22 17:19:57 unbound[7881:0] info: priming successful for . NS IN
Nov 22 17:19:57 unbound[7881:0] info: response for tk. CAA IN
Nov 22 17:19:57 unbound[7881:0] info: reply from <.> 2001:500:1::53#53
Nov 22 17:19:57 unbound[7881:0] info: query response was REFERRAL
Nov 22 17:19:57 unbound[7881:0] info: resolving d.ns.tk. A IN
Nov 22 17:19:57 unbound[7881:0] info: resolving b.ns.tk. A IN
Nov 22 17:19:57 unbound[7881:0] info: resolving c.ns.tk. A IN
Nov 22 17:19:57 unbound[7881:0] info: resolving d.ns.tk. AAAA IN
Nov 22 17:19:57 unbound[7881:0] info: resolving a.ns.tk. A IN
Nov 22 17:19:59 unbound[7881:0] info: Capsforid: timeouts, starting fallback
Nov 22 17:19:59 unbound[7881:0] info: Capsforid: timeouts, starting fallback
Nov 22 17:19:59 unbound[7881:0] info: Capsforid: timeouts, starting fallback
Nov 22 17:19:59 unbound[7881:0] info: Capsforid: timeouts, starting fallback
Nov 22 17:19:59 unbound[7881:0] info: Capsforid: timeouts, starting fallback
Nov 22 17:20:01 unbound[7881:0] info: Capsforid: timeouts, starting fallback

Error running query: read udp 127.0.0.1:43951->127.0.0.1:1053: i/o timeout

Checking tk - CAA doesn't work, that blocks your domain.

Try to create a CAA entry with your domain name tferreira.tk. Then the CAA of tk isn't checked.

system · December 22, 2019, 5:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.