DNS Problem: NXDOMAIN looking for a domain

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Situation: I am hosting my own secure nodes for crypto currency, if this is not allowed then let me know and I will remove it from my process. If it is ok, then please help. This is set up on a xenserver stack. Firewall is a Sonicwall 2400’s in HA, Ubuntu firewall is allowing ports 80 and 443 through. These are External IPv6 ONLY VM’s. they do have a second nic that is on an internal management network that is ipv4. Also I have added an A record for this domain, but there is no IPv4 address on this VM so I tried pointing it at a firewall. That did not work. I do not see how to add an A record for an IPv6 address, everything I have read says you don’t.
Thanks in advance.

My domain is: node215.idahodigitalholdings.com

I ran this command: sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN

It produced this output: Cleaning up challenges
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 377, in _make_request
httplib_response = conn.getresponse(buffering=True)
TypeError: getresponse() got an unexpected keyword argument ‘buffering’

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 379, in _make_request
httplib_response = conn.getresponse()
File “/usr/lib/python3.5/http/client.py”, line 1197, in getresponse
response.begin()
File “/usr/lib/python3.5/http/client.py”, line 297, in begin
version, status, reason = self._read_status()
File “/usr/lib/python3.5/http/client.py”, line 258, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), “iso-8859-1”)
File “/usr/lib/python3.5/socket.py”, line 575, in readinto
return self._sock.recv_into(b)
File “/usr/lib/python3.5/ssl.py”, line 929, in recv_into
return self.read(nbytes, buffer)
File “/usr/lib/python3.5/ssl.py”, line 791, in read
return self._sslobj.read(len, buffer)
File “/usr/lib/python3.5/ssl.py”, line 575, in read
v = self._sslobj.read(len, buffer)
socket.timeout: The read operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 376, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 610, in urlopen
_stacktrace=sys.exc_info()[2])
File “/usr/lib/python3/dist-packages/urllib3/util/retry.py”, line 247, in incr ement
raise six.reraise(type(error), error, _stacktrace)
File “/usr/lib/python3/dist-packages/six.py”, line 693, in reraise
raise value
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 560, in urlopen
body=body, headers=headers)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 381, in _make_request
self._raise_timeout(err=e, url=url, timeout_value=read_timeout)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 309, in _raise_timeout
raise ReadTimeoutError(self, url, “Read timed out. (read timeout=%s)” % time out_value)
requests.packages.urllib3.exceptions.ReadTimeoutError: HTTPSConnectionPool(host= ‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)

During handling of the above exception, another exception occurred:

requests.exceptions.ReadTimeout: HTTPSConnectionPool(host=‘acme-v02.api.letsencr ypt.org’, port=443): Read timed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.
wade@node023:~$

My web server is (include version): 2001550, Horizen Secure Node

The operating system my web server runs on is (include version): Ubuntu 16.04, updated today

My hosting provider, if applicable, is: Self, Xenserver Stack

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): root access to vm.

2

Hi,

Sorry for the late response, could you please provide us a few more details?

  1. Does your node allow traffic to outside domains / servers unrestricted? (Since this is saying that they can’t connect to Let’s Encrypt endpoints)
  2. Do you mind to share us a few outputs:
    curl -vvvvv https://acme-v02.api.letsencrypt.org/
    dig acme-v02.api.letsencrypt.org
    traceroute acme-v02.api.letsencrypt.org

Thank you

1 Like
3

Thank you for the reply! Server access is unrestricted as far as I can tell. I am the admin and I control the firewalls. :slightly_smiling_face: I included the current ipv4 test, but these servers are normally ipv6 only. Both routs fail. The ipv6 is going through an he.net tunnel. Also this failed after several were successful.

url -vvvvv https://acme-v02.api.letsencrypt.org/

  • Trying 2600:1409:12:380::3a8e...
  • Connected to acme-v02.api.letsencrypt.org (2600:1409:12:380::3a8e) port 443 (#0)
  • found 148 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 594 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
  • server certificate verification OK
  • server certificate status verification SKIPPED
  • common name: acme-v02.api.letsencrypt.org (matched)
  • server certificate expiration date OK
  • server certificate activation date OK
  • certificate public key: RSA
  • certificate version: #3
  • subject: CN=acme-v02.api.letsencrypt.org
  • start date: Fri, 12 Oct 2018 01:36:41 GMT
  • expire date: Thu, 10 Jan 2019 01:36:41 GMT
  • issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
  • compression: NULL
  • ALPN, server accepted to use http/1.1

GET / HTTP/1.1

Host: acme-v02.api.letsencrypt.org

User-Agent: curl/7.47.0

Accept: /

< HTTP/1.1 200 OK

< Server: nginx

< Content-Type: text/html

< Content-Length: 2174

< Last-Modified: Fri, 02 Feb 2018 23:46:37 GMT

< ETag: "5a74f85d-87e"

< X-Frame-Options: DENY

< Strict-Transport-Security: max-age=604800

< Accept-Ranges: bytes

< Expires: Sun, 02 Dec 2018 05:47:14 GMT

< Cache-Control: max-age=0, no-cache, no-store

< Pragma: no-cache

< Date: Sun, 02 Dec 2018 05:47:14 GMT

< Connection: keep-alive

<

Boulder: The Let's Encrypt CA 

  <div class="col-xs-6 text-left">
    <h1>Boulder<br>
    <small>The Let's Encrypt CA</small></h1>
  </div>
</div>

<div class="row">
  <div class="col-xs-8 col-xs-offset-2 text-center">
    <h3>This is an <a href="https://github.com/letsencrypt/acme-spec/">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</h3>
    <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/"><tt>https://letsencrypt.org/</tt></a> for help.</p>
    <p>If you're trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v02.api.letsencrypt.org/directory"><tt>https://acme-v02.api.letsencrypt.org/directory</a></tt>.</p>
  </div>
</div>
<div class="row">
  <div class="col-xs-4 col-xs-offset-2 text-center">
    <p><a href="https://letsencrypt.status.io" title="Twitter">
      <i class="fa fa-area-chart"></i>
      Service Status (letsencrypt.status.io)
    </a></p>
  </div>
  <div class="col-xs-4 text-center">
    <p><a href="https://twitter.com/letsencrypt" title="Twitter">
      <i class="fa fa-twitter"></i>
      Check with us on Twitter
    </a></p>
  </div>
</div> <!-- row -->
* Connection #0 to host acme-v02.api.letsencrypt.org left intact e]0;wade@node215: ~awade@node215:~$ dig acme-v02.api.letsencrypt.org

; <<>> DiG 9.10.3-P4-Ubuntu <<>> acme-v02.api.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38110
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org. IN A

;; ANSWER SECTION:
acme-v02.api.letsencrypt.org. 6877 IN CNAME api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net. 20679 IN CNAME e14990.dscx.akamaiedge.net.
e14990.dscx.akamaiedge.net. 19 IN A 23.204.46.90

;; Query time: 60 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Sat Dec 01 22:47:26 MST 2018
;; MSG SIZE rcvd: 158

e
e]0;node215: ~anode215:~$ sudo apt-get tracerouteitraceroutentraceroutestraceroutee[Ctracerouteatracerouteltracerouteltraceroute traceroute

Reading package lists... 0%

Reading package lists... 100%

Reading package lists... Done

Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree

Reading state information... 0%

Reading state information... 0%

Reading state information... Done

The following NEW packages will be installed:
traceroute
0 upgraded, 1 newly installed, 0 to remove and 11 not upgraded.
Need to get 45.5 kB of archives.
After this operation, 177 kB of additional disk space will be used.

0% [Working]

Get:1 Index of /ubuntu xenial/universe amd64 traceroute amd64 1:2.0.21-1 [45.5 kB]

2% [1 traceroute 1,127 B/45.5 kB 2%]

100% [Working]

Fetched 45.5 kB in 0s (80.4 kB/s)
Selecting previously unselected package traceroute.
(Reading database ...
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 68439 files and directories currently installed.)
Preparing to unpack .../traceroute_1%3a2.0.21-1_amd64.deb ...
Unpacking traceroute (1:2.0.21-1) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up traceroute (1:2.0.21-1) ...
update-alternatives: using /usr/bin/traceroute.db to provide /usr/bin/traceroute (traceroute) in auto mode
update-alternatives: using /usr/bin/lft.db to provide /usr/bin/lft (lft) in auto mode
update-alternatives: using /usr/bin/traceproto.db to provide /usr/bin/traceproto (traceproto) in auto mode
update-alternatives: using /usr/sbin/tcptraceroute.db to provide /usr/sbin/tcptraceroute (tcptraceroute) in auto mode

4

curl -vvvvv https://acme-v02.api.letsencrypt.org/

  • Trying 2600:1409:12:380::3a8e...
  • Connected to acme-v02.api.letsencrypt.org (2600:1409:12:380::3a8e) port 443 (#0)
  • found 148 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 594 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
  • server certificate verification OK
  • server certificate status verification SKIPPED
  • common name: acme-v02.api.letsencrypt.org (matched)
  • server certificate expiration date OK
  • server certificate activation date OK
  • certificate public key: RSA
  • certificate version: #3
  • subject: CN=acme-v02.api.letsencrypt.org
  • start date: Fri, 12 Oct 2018 01:36:41 GMT
  • expire date: Thu, 10 Jan 2019 01:36:41 GMT
  • issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
  • compression: NULL
  • ALPN, server accepted to use http/1.1

GET / HTTP/1.1

Host: acme-v02.api.letsencrypt.org

User-Agent: curl/7.47.0

Accept: /

< HTTP/1.1 200 OK

< Server: nginx

< Content-Type: text/html

< Content-Length: 2174

< Last-Modified: Fri, 02 Feb 2018 23:46:37 GMT

< ETag: "5a74f85d-87e"

< X-Frame-Options: DENY

< Strict-Transport-Security: max-age=604800

< Accept-Ranges: bytes

< Expires: Sun, 02 Dec 2018 05:47:14 GMT

< Cache-Control: max-age=0, no-cache, no-store

< Pragma: no-cache

< Date: Sun, 02 Dec 2018 05:47:14 GMT

< Connection: keep-alive

<

Boulder: The Let's Encrypt CA 

  <div class="col-xs-6 text-left">
    <h1>Boulder<br>
    <small>The Let's Encrypt CA</small></h1>
  </div>
</div>

<div class="row">
  <div class="col-xs-8 col-xs-offset-2 text-center">
    <h3>This is an <a href="https://github.com/letsencrypt/acme-spec/">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</h3>
    <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/"><tt>https://letsencrypt.org/</tt></a> for help.</p>
    <p>If you're trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v02.api.letsencrypt.org/directory"><tt>https://acme-v02.api.letsencrypt.org/directory</a></tt>.</p>
  </div>
</div>
<div class="row">
  <div class="col-xs-4 col-xs-offset-2 text-center">
    <p><a href="https://letsencrypt.status.io" title="Twitter">
      <i class="fa fa-area-chart"></i>
      Service Status (letsencrypt.status.io)
    </a></p>
  </div>
  <div class="col-xs-4 text-center">
    <p><a href="https://twitter.com/letsencrypt" title="Twitter">
      <i class="fa fa-twitter"></i>
      Check with us on Twitter
    </a></p>
  </div>
</div> <!-- row -->
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
5

Website has locked me out do to the captures having url’s in them. Please delete this thread. Issue was not to do with Certbot or LetsEncrypt. It was an mtu mismatch.
Thanks

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.