[Closed] Problem with alias domain - DNS problem: NXDOMAIN looking up A for

BackIsBachus · February 17, 2016, 9:48pm

Hello,

I am trying to set up a certificate for 2 vhosts on the same VM.
Since I'm not sure how to explain in clearly I'm gonna explain it thoroughly.

I have 2 domains (larez.fr and rez-gif.supelec.fr) stricly equivalent, my VM name is poe (accessible with both domains). I want to set up 2 website named agendav and davical (with larez.fr and rez-gif.supelec.fr). When I try to create the certificate with letsencrypt-auto certonly I get the following error for the domains in larez.fr:

Failed authorization procedure. agendav.larez.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for agendav.larez.fr, davical.larez.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for davical.larez.fr

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: agendav.larez.fr
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up A for agendav.larez.fr

   Domain: davical.larez.fr
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up A for davical.larez.fr

When I do a dig agendav.larez.fr A from a server outside of this network I get the following:

; <<>> DiG 9.9.5-9ubuntu0.5-Ubuntu <<>> agendav.larez.fr A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40826
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;agendav.larez.fr.        IN    A

;; ANSWER SECTION:
agendav.larez.fr.    84725    IN    CNAME    poe.rez-gif.supelec.fr.
poe.rez-gif.supelec.fr.    84719    IN    A    160.228.152.124

;; AUTHORITY SECTION:
rez-gif.supelec.fr.    84696    IN    NS    ns2.rez-gif.supelec.fr.
rez-gif.supelec.fr.    84696    IN    NS    ns.rez-gif.supelec.fr.

;; ADDITIONAL SECTION:
ns.rez-gif.supelec.fr.    84696    IN    A    160.228.152.1
ns2.rez-gif.supelec.fr.    84696    IN    A    160.228.152.66

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 17 22:41:16 CET 2016
;; MSG SIZE  rcvd: 162

For davical.larez.fr I have a similar answer.
I am not a expert in sysadmin at all so I'm not sure if that's enough, too much or whatever ^^

Thanks if you can help me!

Osiris · February 18, 2016, 5:32pm

Probably because LE doesn’t follow CNAME’s…

BackIsBachus · February 18, 2016, 5:52pm

Oh… I see how that would be a problem. I haven’t followed LE development very closely, but is it a voluntary choice or just that it’s not yet possible?

Osiris · February 18, 2016, 5:54pm

Don’t have a clue to be honest… You could search GitHub for issues et cetera.

schoen · February 19, 2016, 1:42am

I just talked to one of the CA developers, @jsha, who said that Let’s Encrypt does follow (and accept) CNAMEs, so a problem with CNAMES is symptomatic of some other problem – not a policy issue.

BackIsBachus · February 19, 2016, 2:16am

Thank you very much, do you know what I can do figure out the source of the problem or at least determine if the error is there because of how the DNS server is set up?

jsha · February 19, 2016, 4:24am

This looks to me like a boulder bug. We’ll look into it: https://github.com/letsencrypt/boulder/issues/1516.

BackIsBachus · February 19, 2016, 10:18am

Thanks, I will follow the issue to add details about my situation if you need any.

jsha · February 19, 2016, 11:44pm

I’ve tried to reproduce this locally using the same set up as prod (unbound resolver). But I can’t reproduce. Similarly, production seems to resolve your domain name fine now. Has anything changed about your setup since you last tried to issue? Could you try again now and see if it still reproduces?

Thanks,
Jacob

BackIsBachus · February 20, 2016, 12:15am

I will try this as soon as I can (I just hit the maximum number of certificate issued for the last 7 days).

jsha · February 20, 2016, 6:52am

Okay. You can also try against staging with the --staging flag.

BackIsBachus · February 20, 2016, 9:45am

I tried on a different server with a really similar setup and there was no error. I don’t think anything has changed recently but I will try again in a few days on my test and production server just to be sure.

jsha · April 5, 2016, 5:28am

3 posts were split to a new topic: Problem completing challenge

BackIsBachus · April 5, 2016, 8:52am

Well I tired to deploy a few other certificates and none seemed to encounter this problem so I guess it may have been a problem with my DNS.

Topic		Replies	Views
DNS PROBLEM: NXDOMAIN looking up A for <mydomain.com> Server	9	47641	January 28, 2016
Let's Encrypt Verify error! DNS problem: NXDOMAIN looking up A for www.com21.com Help	2	643	July 12, 2019
Cert-Generation Problem --> DNS problem: NXDOMAIN looking up A Help	5	1544	August 16, 2018
Trying to generate certificate with error Help	9	743	June 13, 2020
Issues with DNS Help	2	1110	March 3, 2016

[Closed] Problem with alias domain - DNS problem: NXDOMAIN looking up A for

Related topics