DNS Error during second validation check

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: partenariatsav.univrmenuiserie.fr

I ran this command: certbot renew --dry-run

It produced this output:

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for partenariatsav.univrmenuiserie.fr
Performing the following challenges:
http-01 challenge for partenariatsav.univrmenuiserie.fr
Waiting for verification...
Challenge failed for domain partenariatsav.univrmenuiserie.fr
http-01 challenge for partenariatsav.univrmenuiserie.fr

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: partenariatsav.univrmenuiserie.fr
Type: dns
Detail: During secondary validation: DNS problem: query timed out looking up A for partenariatsav.univrmenuiserie.fr; DNS problem: query timed out looking up AAAA for partenariatsav.univrmenuiserie.fr

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate partenariatsav.univrmenuiserie.fr with error: Some challenges have failed.

My web server is (include version): Apache 2.4.38

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.26.0

Hello guys,

As the title mentions it, since this morning I am experiencing DNS second validation issue on many of my certificates that are generated by letsencrypt certbot.

For some context: I am using Apache under Debian, and some of our certs are generated by the certbot. We are using it since 6 months or something and everything was going fine. Since this morning, i tried running the renew test feature of the certbot

certbot renew --dry-run

And I suddenly have errors on almost all my certs saying DNS second validation error. For information our DNS are hosted at Gandi.net.
When I curl partenariatsav.univrmenuiserie.fr:80 I land on a permanent redirect to 443 response which is normal. I also tried just digging the record itseld and everything went fine.
This cert is using the http-01 challenge, and the .well-known folder exists.

I tried walking through certbot logs to have more informations on what is going on but nothing really helped me. Does anyone have ideas on why my test renew fails?

1 Like
2

This error has nothing to do with your system. You should wait and see if it gets resolved on its own or you should talk to Gandi, as they host your authoritative nameservers (are you using LiveDNS?)

1 Like
3

Okay, thank you Sir, ive literally spent my morning reviewing everything on our infrastructure to be sure all this was not from my side. I will ask my boss to be sure nothing here uses liveDNS but im pretty sure we dont. If this stays like this tomorrow or something I will propably contact Gandi.

1 Like
4

LiveDNS is fine. It might be misbehaving right now but it's fine.

1 Like
5

I have the same problem:

- The following errors were reported by the server:

   Domain: ruckfules.de
   Type:   dns
   Detail: During secondary validation: DNS problem: query timed out
   looking up A for ruckfules.de; DNS problem: query timed out looking
   up AAAA for ruckfules.de

DNS is correctly pointing to the server.

6

Same problem on my side.

The problem is present on at least 3 servers which are not linked at all.

Here are the tests I performed:

  • check if the ports are open
  • disable the firewall
  • dig of the domain for entry A & AAAA, reverse
  • ping v4 & v6

Here is my error under dehydrated:

root@srv-XXX:~ # /usr/local/etc/letsencrypt/dehydrated/dehydrated --cron --out /usr/local/etc/tls --challenge http-01 --config /usr/local/etc/letsencrypt/dehydrated/le.config
# INFO: Using main config file /usr/local/etc/letsencrypt/dehydrated/le.config
Processing srv-XXX.domain
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for srv-XXX.domain
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for srv-XXX.domain authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["status"]      "invalid"
["error","type"]        "urn:ietf:params:acme:error:dns"
["error","detail"]      "During secondary validation: DNS problem: query timed out looking up A for srv-XXX.domain; DNS problem: query timed out looking up AAAA for srv-XXX.domain"
["error","status"]      400
["error"]       {"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: DNS problem: query timed out looking up A for srv-XXX.domain; DNS problem: query timed out looking up AAAA 
for srv-XXX.domain","status":400}
["url"] "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/xxxxx/xxxxx
["token"]       "xxxxxxxx"
["validationRecord",0,"url"]    "http://srv-XXX.domain/.well-known/acme-challenge/xxxxxxxx"
["validationRecord",0,"hostname"]       "srv-XXX.domain"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "X.X.X.X"
["validationRecord",0,"addressesResolved",1]    "XXXX:XXXX:XXXX:XXXX::XXXX"
["validationRecord",0,"addressesResolved"]      ["X.X.X.X","XXXX:XXXX:XXXX:XXXX::XXXX"]
["validationRecord",0,"addressUsed"]    "XXXX:XXXX:XXXX:XXXX::XXXX"
["validationRecord",0]  {"url":"http://srv-XXX.domain/.well-known/acme-challenge/xxxxxxxx","hostname":"srv-XXX.domain","port":"80","addressesResolved":["X.X.X.X","XXXX:XXXX:XXXX:XXXX::XXXX"],"addressUsed":"XXXX:XXXX:XXXX:XXXX::XXXX"}
["validationRecord",1,"url"]    "https://srv-XXX.domain/.well-known/acme-challenge/xxxxxxxx"
["validationRecord",1,"hostname"]       "srv-XXX.domain"
["validationRecord",1,"port"]   "443"
["validationRecord",1,"addressesResolved",0]    "X.X.X.X"
["validationRecord",1,"addressesResolved",1]    "XXXX:XXXX:XXXX:XXXX::XXXX"
["validationRecord",1,"addressesResolved"]      ["X.X.X.X","XXXX:XXXX:XXXX:XXXX::XXXX"]
["validationRecord",1,"addressUsed"]    "XXXX:XXXX:XXXX:XXXX::XXXX"
["validationRecord",1]  {"url":"https://srv-XXX.domain/.well-known/acme-challenge/xxxxxxxx","hostname":"srv-XXX.domain","port":"443","addressesResolved":["X.X.X.X","XXXX:XXXX:XXXX:XXXX::XXXX"],"addressUsed":"XXXX:XXXX:XXXX:XXXX::XXXX"}
["validationRecord"]    [{"url":"http://srv-XXX.domain/.well-known/acme-challenge/xxxxxxxx","hostname":"srv-XXX.domain","port":"80","addressesResolved":["X.X.X.X","XXXX:XXXX:XXXX:XXXX::XXXX"],"addressUsed":"XXXX:XXXX:XXXX:XXXX::XXXX"},{"url":"https://srv-XXX.domain/.well-known/acme-challenge/xxxxxxxx","hostname":"srv-XXX.izy
solutions.cloud","port":"443","addressesResolved":["X.X.X.X","XXXX:XXXX:XXXX:XXXX::XXXX"],"addressUsed":"XXXX:XXXX:XXXX:XXXX::XXXX"}]
["validated"]   "2022-04-13T12:44:01Z")
1 Like
7

+1 I too am having this issue today

During secondary validation: DNS problem: query timed out
   looking up A for wearesmile.com; DNS problem: query timed out
   looking up AAAA for wearesmile.com
8

As I mentionned, all my domains are hosted at Gandi, so I opened a ticket at Gandi's support. I will se what they answer, I also looked for similar problems on this forum earlier this morning, and some guys had the same issue during 2020 and it resolved somehow after so all I can say at the moment is that : I think all this is not really from our side.

1 Like
9

Personally, I have the problem on domains hosted at OVH, Gandi, LWS.

2 Likes
11

I have issues with domains on AWS

12

Hi everyone,

We're actively using Let's Encrypt staging in our pre-production environment, and we've also noticed that DNS lookup timeout errors are frequently returned since April 13. 3:30-3:45 UTC, example:

one or more domains had a problem:
[*.<domain>] acme: error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: query timed out looking up CAA for <domain>
[<domain>] acme: error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: query timed out looking up TXT for _acme-challenge.<domain>

image
image1624×379 27.1 KB

Our DNS provider is Akamai, certificate generations were working fine until these issues appeared. As far as I see multiple people reporting this problem with different DNS providers, so I think the problem is more likely to be with Let's Encrypt staging.

2 Likes
13

When I try to renew my certificate, I see that letsencrypt can access to my website and finally return 200:

log httpd (apache2):

==> /var/log/apache2/other_vhosts_access.log <==
vps-8dee49aa.vps.ovh.net:80 2600:1f16:13c:c401:88f3:6732:b6d1:8a23 - - [13/Apr/2022:16:24:15 +0200] "GET /.well-known/acme-challenge/XXXXXX HTTP/1.1" 301 726 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
vps-8dee49aa.vps.ovh.net:80 2600:3000:2710:300::22 - - [13/Apr/2022:16:24:15 +0200] "GET /.well-known/acme-challenge/XXXXXX HTTP/1.1" 301 726 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

==> /var/log/apache2/domain-https-access.log <==
2600:3000:2710:300::22 - - [13/Apr/2022:16:24:16 +0200] "GET /.well-known/acme-challenge/XXXXXX HTTP/1.1" 200 2338 "http://domain/.well-known/acme-challenge/XXXXXX" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

==> /var/log/apache2/other_vhosts_access.log <==
vps-8dee49aa.vps.ovh.net:80 2a05:d014:531:8602:f957:2314:3ed2:6d93 - - [13/Apr/2022:16:24:35 +0200] "GET /.well-known/acme-challenge/XXXXXX HTTP/1.1" 301 726 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
vps-8dee49aa.vps.ovh.net:80 35.85.44.193 - - [13/Apr/2022:16:24:45 +0200] "GET /.well-known/acme-challenge/XXXXXX HTTP/1.1" 301 726 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

==> /var/log/apache2/domain-https-access.log <==
18.222.210.144 - - [13/Apr/2022:16:24:45 +0200] "GET /.well-known/acme-challenge/XXXXXX HTTP/1.1" 200 2338 "http://domain/.well-known/acme-challenge/XXXXXX" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
1 Like
14

OK, what's the best way to get a cert while this is happening. I have quite a few vanity domains that redirect and a few have expired.

1 Like
15

Same issue here with OVH as DNS provider, return

During secondary validation: DNS problem: query timed out looking up A : no valid AAAA records found

No problem resolving domains by querying authoritative dns

2 Likes
16

You could switch temporarily to a different CA. But, the reason I am responding is that normally renewals start with 30 days remaining before cert expiration. That way glitches like this don't impact live sites. You should review your renewal process so it starts in advance and alerts you to failed renewals.

2 Likes
17

And now I get:
"Error creating new order :: too many failed authorizations recently"

18

Now you will have to wait an hour before trying again. If you think you are being affected by a different problem then please start a new help topic.

There are repeated posts of failed DNS secondary auths and we are waiting on LE staff to report.

2 Likes
19

See here for news about the DNS secondary auth failures on staging system

4 Likes
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.