Letsencrypt is refusing to create a certificate for the domain my.hyundaicard.com.
The error returned is a DNS problem:
{
"detail": "DNS problem: query timed out looking up A for my.hyundaicard.com; DNS problem: query timed out looking up AAAA for my.hyundaicard.com",
"status": 400,
"type": "urn:ietf:params:acme:error:dns"
}
I am struggling to debug this because any combination of Dig, Nslookup, etc. show that the A record exists, and the CNAME is properly set up to point to custom.bnc.lt. The same process has properly setup letsencrypt certificates for other domains so I believe it is a problem with the domain setup, and not our letsencrypt infrastructure.
The only smoking gun that we have been able to find is that when using DNS Propagation Checker sometimes the domain does not resolve for all geos. However, it is not consistent, in that some other people have been able to get it to show all greens.
Does anybody have any ideas on how to further debug? Please let me know if you need any other information to help with this issue.
The DNS delegation is wrong, the .com servers think that the NS records are a different set of names than the 61.40.236.100/210.182.190.100 servers do.
thank you for sharing the insight here!
To confirm, could you please share which exact part needs to be fixed? Or perhaps needs to be configured?
To give you further information, the domain should redirect into custom.bnc.lt for the Branch system to redirect the custom domain (my.hyundaicard.com) to the Branch domain (.app.link).
we.kurly.com - this is a domain that is working as expected, but it is showing the same graph as the Hyundai card. - Could you please share with me which part is causing an issue?
The "Servers" tab in DNSViz may be more helpful than the "DNSSEC" tab for delegation problems, the areas highlighted in yellow are inconsistent and will cause problems for anyone trying to get to your domain.
I'll try to walk through it with dig.
If you ask the .com nameservers for what the nameservers are for hyundaicard.com, it says they are hns1.hyundaicard.com. (61.40.236.100) and hns2.hyundaicard.com. (210.182.190.100)
But then actually querying either of them gives a different set of names, with additional nameservers ending in .co.kr.
$ dig +norecurse NS hyundaicard.com @61.40.236.100
; <<>> DiG 9.18.28 <<>> +norecurse NS hyundaicard.com @61.40.236.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48113
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4e8f44dc5fabfb7202461e1466b9eab550f202009517e0f5 (good)
;; QUESTION SECTION:
;hyundaicard.com. IN NS
;; ANSWER SECTION:
hyundaicard.com. 3600 IN NS hns2.hyundaicard.co.kr.
hyundaicard.com. 3600 IN NS hns1.hyundaicard.co.kr.
hyundaicard.com. 3600 IN NS hns2.hyundaicard.com.
hyundaicard.com. 3600 IN NS hns1.hyundaicard.com.
;; ADDITIONAL SECTION:
hns1.hyundaicard.com. 3600 IN A 61.40.236.100
hns2.hyundaicard.co.kr. 3600 IN A 210.182.190.100
hns1.hyundaicard.co.kr. 3600 IN A 210.182.190.100
hns2.hyundaicard.com. 3600 IN A 210.182.190.100
;; Query time: 189 msec
;; SERVER: 61.40.236.100#53(61.40.236.100) (UDP)
;; WHEN: Mon Aug 12 10:57:57 UTC 2024
;; MSG SIZE rcvd: 229
I don't know if this is the root cause of the problem you're seeing, I just know that inconsistent delegations often lead to weird random issues with systems trying to resolve your domain.
Thanks for sharing your thoughts. could you please advise us if you have any other tips on debugging this DNS delegation error? It would be helpful if you could share any other tips.
The core of it is that the nameservers listed with your registrar for your domain need to be the same as the nameservers listed by those authoritative DNS servers themselves.
If hns1.hyundaicard.com & hns2.hyundaicard.com are supposed to be the only DNS servers, then they should only return those two names when queried for the NS records for hyundaicard.com.
If hns1.hyundaicard.co.kr and hns2.hyundaicard.co.kr are supposed to also be DNS servers for the domain, then they should be listed at the registrar as well. (Though it seems weird that they both have the same IP address; that should probably be checked as well.)
The short of it is that you need to get your domain name working properly first, and only then can you get a certificate. Or at least, it makes it much harder to figure out what else might be wrong that would prevent you from getting a certificate.
