Challenge fails - dns problem servfail looking up a for A record

Help
1

Hello everybody and thank for for this great service!

Since few days ago the renewal went fine, but now I am getting the "dns" error.

Domain: tinread.upit.ro
OS: Ubuntu 20.04
Certbot: 0.40.0

Error message while renewing:

Domain: tinread.upit.ro
Type: dns
Detail: During secondary validation: DNS problem: query timed out looking up A for tinread.upit.ro; DNS problem: query timed out looking up AA
AA for tinread.upit.ro

The challenge file is loaded ok on the server, I can view the key inside the file in browser. For some reason letsencrypt server can not access the DNS entries.

Checking with let letsdebug I get an error.

NoRecords

No valid A or AAAA records could be ultimately resolved for tinread.upit.ro. This means that Let's Encrypt would not be able to to connect to your domain to perform HTTP validation, since it would not know where to connect to.

No A or AAAA records found.

But the DNS works fine, all entries are solved correctly. I checked with "dig" and also if I check the DNS with any other external (looking glass) service everything is ok. For instance Google DNS reports the followings:

Type Domain Name TTL Address
A tinread.upit.ro 3600 194.102.70.154

Owner: Universitatea din Pitesti !
(IP WHOIS Lookup - Lookup an IP Address - DNS Checker) [AS2614]

IP is not blocked by any blacklists More

The full log info for this error is posted below.

{
"identifier": {
"type": "dns",
"value": "tinread.upit.ro"
},
"status": "invalid",
"expires": "2022-07-03T00:35:02Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "During secondary validation: DNS problem: query timed out looking up A for tinread.upit.ro; DNS problem: query timed out lo
oking up AAAA for tinread.upit.ro",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/123691525186/JQ_dcA",
"token": "3g9Z2wqTjC4NuXVeBqeaLbVVMZYAdAKEs9darXUUlP4",
"validationRecord": [
{
"url": "http://tinread.upit.ro/.well-known/acme-challenge/3g9Z2wqTjC4NuXVeBqeaLbVVMZYAdAKEs9darXUUlP4",
"hostname": "tinread.upit.ro",
"port": "80",
"addressesResolved": [
"194.102.70.154"
],
"addressUsed": "194.102.70.154"
}
],
"validated": "2022-06-26T00:35:05Z"
}
]
}
2022-06-26 03:35:36,018:DEBUG:acme.client:Storing nonce: 0101DaZ6eZucQkzteNxK-GMfvEMuigknzlbY6Idenxn9lF8
2022-06-26 03:35:36,020:WARNING:certbot.auth_handler:Challenge failed for domain tinread.upit.ro
2022-06-26 03:35:36,020:INFO:certbot.auth_handler:http-01 challenge for tinread.upit.ro
2022-06-26 03:35:36,020:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: tinread.upit.ro
Type: dns
Detail: During secondary validation: DNS problem: query timed out looking up A for tinread.upit.ro; DNS problem: query timed out looking up AA
AA for tinread.upit.ro

Any idea how can I fix this?

Thank you!

1 Like
2

Hi @sundancescore, and welcome to the LE community forum :slight_smile:

It seems that at some point a DNS server IP was changed, but not all entries were updated:

ns1.upit.ro     internet address = 194.102.70.247
ns1.upit.ro     internet address = 194.102.70.100
8 Likes
3

This DNS server has multiple IP addresses (for load balancing). In fact it is a governmental server used by all state universities. DNS service works fine on both IPs. Both "dig" commands below work fine and the answer for "tinread.upit.ro" is the same (194.102.70.154).

dig @194.102.70.100 tinread.upit.ro
dig @194.102.70.247 tinread.upit.ro

The A record "tinread.upit.ro" is correctly propagated (the problem occurred first time about 6 days ago), so plenty of time to be updated everywhere.

So, I think the issue lies somewhere else...

4

Not from my corner of the Internet.

3 Likes
5

Registrar records aren't controlled by zone replication.

3 Likes
6

Can you please post the output of dig @194.102.70.100 and @194.102.80.247 from your location. This might have some useful info to debug...

7

Quote: "Registrar records aren't controlled by zone replication."

Yes, this is correct. I just wanted to point out that the name "tinread.upit.ro" is solved ok all over the net.

8

You are missing my entire point.
Let me put it this way:
[this is what global DNS shows]

nslookup -q=ns upit.ro sec-dns-a.rotld.ro
upit.ro nameserver = ns2.upit.ro
upit.ro nameserver = ns1.upit.ro
ns1.upit.ro     internet address = 194.102.70.247
ns2.upit.ro     internet address = 194.102.70.249

[this is what your servers show]

nslookup -q=ns upit.ro ns1.upit.ro
upit.ro nameserver = ns1.upit.ro
ns1.upit.ro     internet address = 194.102.70.100
ns1.upit.ro     internet address = 194.102.70.247

nslookup -q=ns upit.ro ns2.upit.ro
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
5 Likes
9

That is questionable.
Only one of the two authoritative nameservers responds.
And it only responds via TCP from some areas.

5 Likes
10

[quote="rg305, post:8, topic:180132"]
nslookup -q=ns upit.ro ns2.upit.ro
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out[/quote]

Ah, ok... So, because ns2.upit.ro does not respond the challenge fails? The challenge checks both primary and secondary nameserver and only if both reply correctly the challenge passes? Am I getting this right?

11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.