DNS Challange not working second time

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gleditais.com.br

I ran this command:

certbot certonly --dns-route53’, --email myemail@gmail.com, -d *.gleditais.com.br -d gleditais.com.br --rsa-key-size 4096 --agree-tos --expand --noninteractive --debug-challenges

It produced this output:

2020-08-14 01:38:09,888:DEBUG:certbot.main:certbot version: 0.31.0
2020-08-14 01:38:09,888:DEBUG:certbot.main:Arguments: [’–dns-route53’, ‘–email’, ‘myemail@gmail.com’, ‘-d’, '.gleditais.com.br’, ‘-d’, ‘gleditais.com.br’, ‘–rsa-key-size’, ‘4096’, ‘–agree-tos’, ‘–expan d’, ‘–noninteractive’, ‘–debug-challenges’]
2020-08-14 01:38:09,889:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-route53:auth,PluginEntryPoint#dns-route53,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#st
andalone,PluginEntryPoint#webroot)
2020-08-14 01:38:09,896:DEBUG:certbot.log:Root logging level set at 20
2020-08-14 01:38:09,896:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-08-14 01:38:09,897:DEBUG:certbot.plugins.selection:Requested authenticator dns-route53 and installer None
2020-08-14 01:38:09,898:DEBUG:botocore.hooks:Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2020-08-14 01:38:09,902:DEBUG:botocore.hooks:Changing event name from before-call.apigateway to before-call.api-gateway
2020-08-14 01:38:09,902:DEBUG:botocore.hooks:Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2020-08-14 01:38:09,904:DEBUG:botocore.hooks:Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2020-08-14 01:38:09,904:DEBUG:botocore.hooks:Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2020-08-14 01:38:09,905:DEBUG:botocore.hooks:Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2020-08-14 01:38:09,905:DEBUG:botocore.hooks:Changing event name from docs..autoscaling.CreateLaunchConfiguration.complete-section to docs..auto-scaling.CreateLaunchConfiguration.complete-section
2020-08-14 01:38:09,908:DEBUG:botocore.hooks:Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2020-08-14 01:38:09,908:DEBUG:botocore.hooks:Changing event name from docs..logs.CreateExportTask.complete-section to docs..cloudwatch-logs.CreateExportTask.complete-section
2020-08-14 01:38:09,908:DEBUG:botocore.hooks:Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2020-08-14 01:38:09,908:DEBUG:botocore.hooks:Changing event name from docs..cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2020-08-14 01:38:09,913:DEBUG:botocore.credentials:Looking for credentials via: env 2020-08-14 01:38:09,914:INFO:botocore.credentials:Found credentials in environment variables.
2020-08-14 01:38:09,914:DEBUG:botocore.loaders:Loading JSON file: /usr/lib/python3/dist-packages/botocore/data/endpoints.json
2020-08-14 01:38:09,917:DEBUG:botocore.hooks:Event choose-service-name: calling handler <function handle_service_name_alias at 0x7fc2213cb730>
2020-08-14 01:38:09,926:DEBUG:botocore.loaders:Loading JSON file: /usr/lib/python3/dist-packages/botocore/data/route53/2013-04-01/service-2.json
2020-08-14 01:38:09,931:DEBUG:botocore.hooks:Event creating-client-class.route-53: calling handler <function add_generate_presigned_url at 0x7fc221414268>
2020-08-14 01:38:09,931:DEBUG:botocore.regions:Using partition endpoint for route53, sa-east-1: aws-global
2020-08-14 01:38:09,931:DEBUG:botocore.args:The s3 config key is not a dictionary type, ignoring its value of: None
2020-08-14 01:38:09,934:DEBUG:botocore.endpoint:Setting route53 timeout as (60, 60)
2020-08-14 01:38:09,934:DEBUG:botocore.loaders:Loading JSON file: /usr/lib/python3/dist-packages/botocore/data/_retry.json
2020-08-14 01:38:09,935:DEBUG:botocore.client:Registering retry handlers for service: route53
2020-08-14 01:38:09,936:DEBUG:certbot.plugins.selection:Single candidate plugin: * dns-route53
Description: Obtain certificates using a DNS TXT record (if you are using AWS Route53 for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-route53 = certbot_dns_route53.dns_route53:Authenticator
Initialized: <certbot_dns_route53.dns_route53.Authenticator object at 0x7fc22296ada0>
Prep: True
2020-08-14 01:38:09,936:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_dns_route53.dns_route53.Authenticator object at 0x7fc22296ada0> and installer None
2020-08-14 01:38:09,936:INFO:certbot.plugins.selection:Plugins selected: Authenticator dns-route53, Installer None
2020-08-14 01:38:10,101:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-08-14 01:38:10,103:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2020-08-14 01:38:30,124:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 159, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw)
File “/usr/lib/python3/dist-packages/urllib3/util/connection.py”, line 57, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File “/usr/lib/python3.7/socket.py”, line 748, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 600, in urlopen
chunked=chunked)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 343, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 841, in _validate_conn
conn.connect()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 301, in connect
conn = self._new_conn()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 168, in _new_conn
self, “Failed to establish a new connection: %s” % e)
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7fc221180d30>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 449, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 638, in urlopen
_stacktrace=sys.exc_info()[2])
File “/usr/lib/python3/dist-packages/urllib3/util/retry.py”, line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSCon
nection object at 0x7fc221180d30>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution’))

My web server is (include version): Nginx 17.x

The operating system my web server runs on is (include version): Ubuntu on EC2

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Ec2 panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

My actual situation:

• Server is running only on HTTP, right now I have a self signed certificate to run Nginx.

• I tested with every debug tools (lestdebug; check DNS & check-your-website.server-daten.de) and they show OK, except about the HTTPS.

• From the log, I can not be sure if the problem is authentication on Route53 to make the DNS challenge. But, I can confirm that I already did the challenge once using the same credentials and Route53’s permissions and that is my second trying getting a new key using same credentials and permission from the first time.

Anybody can give me a direction on this? I don’t know elsewhere to look to fix this.

If your server is currently configured for HTTP only, do you have a rule in the firewall that blocks port 443? That is the HTTPS port, on which the acme-v02.api.letsencrypt.org site will attempt to reply. If this is blocked, you would see this sort of complaining.

This error indicates that your server is having trouble performing DNS lookups.

What's the output if you run these commands?

host acme-v02.api.letsencrypt.org
nmcli dev show | grep DNS

From inside my Ec2 instance where Nginx is running I get the following:

docker-machine ssh aws-node-nginx “host acme-v02.api.letsencrypt.org”

acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2c

• nmcli dev show | grep DNS

The Ec2 Ubuntu don’t have nmcli command and I’m not sure if I’m able to install it. I trying to find a substitute for this…

That's okay, it doesn't matter because the first command succeeded.

And you're running Certbot in that aws-node-nginx container, right?

Yes. Actually right now I have only one node and all the services are running on it.

edit. Certbot and dns-route53 are installed with Nginx images on one image. I was already able to pass the dns challenge with this setup.

Pretty weird.

DNS seems to be working fine in the container, except Certbot is getting DNS failures.

What about:

docker-machine ssh aws-node-nginx 'python -c "import requests; print(requests.get(\"https://acme-v02.api.letsencrypt.org/directory\"))"'

I run this command from inside the service Nginx (where the certbot, python3 & cerbot-dns-route53 are)

I got the same log from the one I posted here on my question…

• socket.gaierror: [Errno -3] Temporary failure in name resolution
• Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

#Edit 1
So apparently the problem is in the network from the Nginx service that is not find a way to reach the out network… I try using google.com and didn’t work too. You are already help me a lot. Now at least I more sure to where look to fix this. Thank you!

#Edit 2
For disclosure of this question, the problem was a conflict on the network. I created a network on 10.0.0.0/16 and subnet on 10.0.0.0/24 to run my ec2 instance, but the docker, by default, also created a internal network at 10.0.0.0/24. After changing my outside network, the container was able to get the certificate.

Thank you again _az! If wasn’t you I would be spending much more time to find and fix the problem!