"DNS problem: NXDOMAIN looking up A for <domain>" issue

My domain is: crmsim.pl, www.crmsim.pl, crmsim.com, www.crmsim.com

I ran this command:Using Sophos UTM, so command is automated (part of log provided further down)

It produced this output: See log below

My web server is (include version):IIS, but hidden behind Sophos UTM 9 (i.e. Sophos is responsible for handling the LE certificate process)

The log is as follows:

I Renew certificate: handling CSR REF_CaCsrCrmsim for domain set [crimsim.pl,crmsim.com,www.crmsim.pl,www.crmsim.com]
I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain crimsim.pl --domain crmsim.com --domain www.crmsim.pl --domain www.crmsim.com
I Renew certificate: command completed with exit code 256
E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
E Renew certificate: COMMAND_FAILED: "type": "http-01",
E Renew certificate: COMMAND_FAILED: "status": "invalid",
E Renew certificate: COMMAND_FAILED: "error": {
E Renew certificate: COMMAND_FAILED: "type": "urn:acme:error:dns",
E Renew certificate: COMMAND_FAILED: "detail": "DNS problem: NXDOMAIN looking up A for crimsim.pl",
E Renew certificate: COMMAND_FAILED: "status": 400
E Renew certificate: COMMAND_FAILED: },
E Renew certificate: COMMAND_FAILED: "uri": "https://acme-v01.api.letsencrypt.org/acme/chall-v3/276248160/ig4fSw",
E Renew certificate: COMMAND_FAILED: "token": "7eTjCF0PQYy6MAVeYEfAwYf3dNZMvVIw6q4lkX0kcqo"
E Renew certificate: COMMAND_FAILED: })\

As far as I can tell (my own NSLOOKUP queries) all addresses correctly point to the same IP: 185.68.25.138, but only CRMSIM.PL seems to fail. A noteworthy fact is that this domain has been set up recently, so it MIGHT be a matter of propagation; but all queries to various public DNS providers all show the correct DNS records.

PS. I can correctly generate a certificate for (WWW.)CRMSIM.COM. So the problem is with the .PL domain.

Hi @mbender

that domain doesn’t have an A- or AAAA entry - https://check-your-website.server-daten.de/?q=crimsim.pl

Host T IP-Address is auth. ∑ Queries ∑ Timeout
crimsim.pl Name Error yes 1 0
www.crimsim.pl Name Error yes 1 0

The domain is unknown - Grade U.

Your www.crmsim.com has an ip address, perhaps add the same A entry to your pl domain.

That’s… odd. I can definitely ping the server from different machines, and if I check the domain using something like https://centralops.net/co/ then the A records are there…

I guess it’s a propagation issue caused by the domain being new?

Using that tool there is no A record:

lookup failed crimsim.pl
Could not find an IP address for this domain name.

And the “check-your-website” tool queries the authoritative name servers, so it’s not a caching problem.

Oh, it’s simple, it’s a typo.

Your list

Your error message:

So your command has used the wrong domain.

Wow… Ooops… :confounded:

EDIT: Wow… I definitely didn’t mistype it! It seems to be an issue with Sophos. Anyway, thanks. I’m investigating on my end.

1 Like