Hi,
I have changed the IP address of my domain name and I have set the new IP in the domain registrar website. So, I hope it will propagate within hours. But I am looking for a faster way.
At the moment, when I run the command ~/.acme.sh/acme.sh --issue -d my_domain.com --standalone, it shows the following error:
[Tue Jul 30 09:59:19 UTC 2024] Pending. The CA is processing your order, please wait. (1/30)
[Tue Jul 30 09:59:23 UTC 2024] Pending. The CA is processing your order, please wait. (2/30)
[Tue Jul 30 09:59:27 UTC 2024] Pending. The CA is processing your order, please wait. (3/30)
[Tue Jul 30 09:59:30 UTC 2024] my_domain.com: Invalid status. Verification error details: 164.XX.XXX.XXX: Fetching http://my_domain.com/.well-known/acme-challenge/gerfvregvrevrf: Timeout during connect (likely firewall problem)
[Tue Jul 30 09:59:30 UTC 2024] Please add '--debug' or '--log' to see more information.
[Tue Jul 30 09:59:30 UTC 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
That 164.XX.XXX.XXX is the old IP address. When I do an online DNS lookup, the domain name is shown with the new IP. However, it seems that Letsencrypt server hasn't received the updated IP.
I can reproduce a problem with your IP using https://unboundtest.com
It queries DNS similar to Let's Encrypt
If I repeatedly request your A record I get two different IP. One starts with 128.199 and the other with 178.128
Yet, if I query your authoritive DNS servers individually they all return the same IP.
Since unboundtest sees the same kind of problem Let's Encrypt does then I think something unusual is wrong with your DNS servers. I just don't know what that could be
I don't know why Google's test tool, the unboundtest.com test site, and Let's Encrypt would all get inconsistent results querying your DNS. Are you sure all your DNS Servers are in sync world-wide?
I am not sure about that. I have bought the domain from a website. I expect that their DNS servers eventually get synchronized worldwide. The fact is after some hours everything will be fine. I just want to look into a quicker solution.
Let's Encrypt looks directly at your authoritive DNS Servers so is not affected by TTL propagation. But, it checks from several places around the world. If your DNS servers take a long time to sync between themselves that seems like a problem to resolve with your DNS provider.
Good DNS systems don't take very long to sync their servers. Often less than 1 minute and not more than a few minutes.
It is not only Let's Encrypt that is affected. Anyone trying to access your site might get the wrong IP until this is resolved. You can see that with the Google test result too.
They didn't disagree earlier. I checked. And, they don't disagree for me now. Seems odd
dig +noall +answer A mijnv2.com @ns.zxcs.nl
mijnv2.com. 86400 IN A 178.128.98.163
dig +noall +answer A mijnv2.com @ns.zxcs.eu
mijnv2.com. 86400 IN A 178.128.98.163
dig +noall +answer A mijnv2.com @ns.zxcs.be
mijnv2.com. 86400 IN A 178.128.98.163
But this is odd too. Any ideas @rg305 other than their servers are not in sync?
My nslookup used their IPv6 addresses (update: I think nslookup uses tcp for -q queries.
See my next post)
TCP queries get one IP address. UDP get a different one. Using -4 and -6 gets same wrong result
dig -4 +tcp +noall +answer A mijnv2.com @ns.zxcs.be
mijnv2.com. 86400 IN A 209.38.17.134
dig -4 +tcp +noall +answer A mijnv2.com @ns.zxcs.nl
mijnv2.com. 86400 IN A 209.38.17.134
dig -4 +tcp +noall +answer A mijnv2.com @ns.zxcs.eu
mijnv2.com. 86400 IN A 209.38.17.134
dig -4 +notcp +noall +answer A mijnv2.com @ns.zxcs.eu
mijnv2.com. 86400 IN A 178.128.98.163
dig -4 +notcp +noall +answer A mijnv2.com @ns.zxcs.be
mijnv2.com. 86400 IN A 178.128.98.163
dig -4 +notcp +noall +answer A mijnv2.com @ns.zxcs.nl
mijnv2.com. 86400 IN A 178.128.98.163