DNS/DNSSEC error signal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

DNSviz.net shows all delegation are correct. No AAAA record is published yet.

My domain is: kamchatka.spb.ru

I ran this command: acmetool --xlog.stderr --xlog.severity=TRACE reconcile

It produced this output:
20230627030016 [INFO] acmetool.solver: unsuccessful challenge: authorization "https://acme-v02.api.letsencrypt.org/acme/authz-v3/240320666877" challenge "https://acme-v02.api.letsencrypt.org/acme/chall-v3/240320666877/wfOfww" failed into final non-valid status invalid [due to inner error: (problem (type "urn:ietf:params:acme:error:dns") (instance "") (id ) (title ""): (detail "DNS problem: looking up A for kamchatka.spb.ru: DNSSEC: Bogus; DNS problem: looking up AAAA for kamchatka.spb.ru: DNSSEC: Bogus"))]

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): freebsd 13.1

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello @smyasoedov, welcome to the Let's Encrypt community.

https://zonemaster.net/en/result/e90fe1f4b2c17516 has found one warning

image1341×711 23.6 KB

Using the online tool https://unboundtest.com/ doesn't seem to be finding any issues https://unboundtest.com/m/A/kamchatka.spb.ru/Z534WQ5F

And using the online tool https://letsdebug.net/ yields these results https://letsdebug.net/kamchatka.spb.ru/1530967 of OK.

Right now kamchatka.spb.ru | DNSViz has one error

image560×561 12.3 KB

Thank you @Bruce5051 !
As you can see, nothing prevents the correct DNS resolution (no response from the gTLD nameserver is outside of my scope).

So what's wrong with LE certificate issuance?

I see this with nslookup; it seems like your DNS Name Servers are a bit slow in responding.

$ nslookup kamchatka.spb.ru ns1.net-art.cz.
Server:         ns1.net-art.cz.
Address:        80.211.210.60#53

Name:   kamchatka.spb.ru
Address: 195.211.53.80
;; communications error to 80.211.210.60#53: timed out

This run with nslookup -q=any kamchatka.spb.ru ns1.net-art.cz., a bit longer than I typically see.

$ nslookup -q=any kamchatka.spb.ru ns1.net-art.cz.
Server:         ns1.net-art.cz.
Address:        80.211.210.60#53

kamchatka.spb.ru
        origin = ns1.net-art.cz
        mail addr = hostmaster.kaa.ru
        serial = 2015052593
        refresh = 7200
        retry = 3600
        expire = 604800
        minimum = 86400
kamchatka.spb.ru        rdata_46 = SOA 13 3 86400 20230826012142 20230627012142 11148 kamchatka.spb.ru. X4/d+bzLyaAzHBsfBwZvDBwI8VBfWTZZCaaWl+LPLIGQKU6jskH9dCzQ xA93rO8YLkpcm/csm/tM2yyEG2Osog==
kamchatka.spb.ru        nameserver = ns1.net-art.cz.
kamchatka.spb.ru        nameserver = ns3.net-art.cz.
kamchatka.spb.ru        rdata_46 = NS 13 3 86400 20230826012142 20230627012142 11148 kamchatka.spb.ru. 28HbBRVpSM8wr8zX/JGMHhZz+sbCPN1h3PurugkwmkRC89z/wvDkxaJp FhFl+kYTTORXvQ06haeBf1ZrT02oOg==
Name:   kamchatka.spb.ru
Address: 195.211.53.80
kamchatka.spb.ru        rdata_46 = A 13 3 86400 20230826012142 20230627012142 11148 kamchatka.spb.ru. 1okB+7hedt9oKSlAbKZx9UcZXqZV7DwwGq2V6X8L4Tn6MWsO8Soe5o6i Ux4U/UCR6r3XC3unPU1vfsV6Astj2w==
kamchatka.spb.ru        mail exchanger = 5 reindeer.net-art.cz.
kamchatka.spb.ru        rdata_46 = MX 13 3 86400 20230826012142 20230627012142 11148 kamchatka.spb.ru. hY6leHzhDFlA83PRyGrwnMS1ZrxtYwb383hzFQBJtRGu3hIFbdHeOYxf ta6o5B275Dm0J97bEXagh0nFnox6Tw==
kamchatka.spb.ru        text = "v=spf1 mx a:smtp-out.net-art.cz -all"
kamchatka.spb.ru        rdata_46 = TXT 13 3 86400 20230826012142 20230627012142 11148 kamchatka.spb.ru. KWxUWzy1r2m8kDpVWEewgLZud2uqHpS0PCLkAtxAwtPdCR7Yqmp2IjPP YFSUpY1QLZJ2x2Ix+fI4+XdeNSkWgw==
kamchatka.spb.ru        rdata_48 = 257 3 13 +H1A93qEUjTo8zXqYHfSFg2vBd0pkksqJg2o9i7qBa5kqfiBzReEZkcr b89KLQoxGMqeEK498CN9c5RerXH6Sw==
kamchatka.spb.ru        rdata_48 = 256 3 13 QR1QOOw6rWYf9wIQ8a4JP2GP/de/OiHYqoZpB5dhJY9GU3GR7aZZoBbm 5FCaDooEPErb38bfJ3w8XPBGhBr43w==
kamchatka.spb.ru        rdata_46 = DNSKEY 13 3 86400 20230826012142 20230627012142 11148 kamchatka.spb.ru. Na8hbJi3NRtNNQT7x8un5jVqZI3jCkEs3XYJBUC6rwGV/tVk8spy11jA QdEBjeqiGk8YCmGjESl4ncT8SYYtRg==
kamchatka.spb.ru        rdata_46 = DNSKEY 13 3 86400 20230826012142 20230627012142 45147 kamchatka.spb.ru. uXnNxVAteT3I/E/TRvLewIsZZLcnWUFggIpU9rnr34n/TukLLwh1j/nl kg4fFuNQtbtyN0P7VkESRjcUy4M+5A==
kamchatka.spb.ru        rdata_51 = 1 0 10 C0DE
kamchatka.spb.ru        rdata_46 = NSEC3PARAM 13 3 0 20230826012142 20230627012142 11148 kamchatka.spb.ru. g2xAHjx8k38a/T4lY+0RA5xQ1CHl7L9voFdBRAejpIe1SQw5tJKNi/ax P2HHQ6jPryn0beUfUUy64GJhmMRYGw==
kamchatka.spb.ru        rdata_99 = "v=spf1 mx a:smtp-out.net-art.cz -all"
kamchatka.spb.ru        rdata_46 = SPF 13 3 86400 20230826012142 20230627012142 11148 kamchatka.spb.ru. FetmUqfhQbzIdr3TxZLKDTZKn2WdaJzdidqrwgPUiwhrhq7PopnKNQTa R7YohRzehLuVSeEh63Y4g96lrcdMqQ==

This is quite strange, while other domains are resolving well. Where did you get this timeout, in which region? I'll start RIPE Atlas test from this location.

Thank you for this. I think ANY requests shouldn't be used for LE. But slow response is okay, as response to ANY should have more time to switch to TCP and proceed with 3-way handshake.

Got an error this time with Let's Debug https://letsdebug.net/kamchatka.spb.ru/1530979?debug=y
(partial image)

image1088×734 10.8 KB

Yes, I see this. Timeouts for A and AAAA records. Can't understand what is wrong here.

Maybe there is something up with the higher domain spb.ru

Maybe Geo-Location blocking?
Edit: possibly even intermittently Geo-Location blocking?

Seems to be working now.

Same issue now:
20230627044951 [INFO] acmetool.solver: unsuccessful challenge: authorization "https://acme-v02.api.letsencrypt.org/acme/authz-v3/240370637247" challenge "https://acme-v02.api.letsencrypt.org/acme/chall-v3/240370637247/gStGSQ" failed into final non-valid status invalid [due to inner error: (problem (type "urn:ietf:params:acme:error:dns") (instance "") (id ) (title ""): (detail "DNS problem: looking up A for kamchatka.spb.ru: DNSSEC: Bogus; DNS problem: looking up AAAA for kamchatka.spb.ru: DNSSEC: Bogus"))]

I can't recognize it. My NSes are not blocking, and domain registries don't seem to block anything.

DNS Propagation Checker - Global DNS Testing Tool is showing not all locations are getting responses from the Authoritative DNS Name Servers

image633×665 28.7 KB

That's interesting. Now I see every server marked with a green check. Except Auckland NZ. With the fact that NSes aren't multihomed and located in Italy and Czech Republic, and other people from spb.ru domains are complaining about DNS... one might need to check whether LE's addresses are not blocked.

What IP addresses does Let’s Encrypt use to validate my web server?
Let’s Encrypt does not publish a list of IP addresses we use to validate,
and these IP addresses may change at any time.

Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt

Thank you, I've read this article. Obviously there is no problem on my side, nameservers/webserver are reachable. Lots of online tools are an additional proof of that.

And likely not on the LE side, but most likely something between them.

I've done what I can, so
Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.