DNS problem: NXDOMAIN looking up A for domain name

ishanashivam · February 4, 2019, 10:17pm

Hi,

I’m trying to generate cert for my domain (www.nithyasanghachat.org) and I get this error:

The following errors were reported by the server:
Domain: www.nithyasanghachat.org
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
www.nithyasanghachat.org

Env:

My Ubuntu 14.04 instance is running on Amazon AWS EC2,
I had setup RecordSets in Route 53 as per documentation,
I have set my Elastic IP as the A record.
I have registered my domain name and got a confirmation as well
I’m trying to setup RocketChat in this Ubuntu instance as per their documentation (RocketChat letsencrypt step) and got stuck on this step # 4
I tested my domain in https://unboundtest.com/ and got this response:
Response:
;; opcode: QUERY, status: NOERROR, id: 41305
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

Kindly help me resolve this issue.

Thanks,
Shiv

JuergenAuer · February 4, 2019, 10:23pm

Hi @ishanashivam

there is no public visible ip address ( nithyasanghachat.org - Make your website better - DNS, redirects, mixed content, certificates ):

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
nithyasanghachat.org	A		yes	1	0
	AAAA		yes
www.nithyasanghachat.org		Name Error	yes	1	0

And Unboundtest doesn't find an answer:

ANSWER: 0

Answer 1 is required.

JuergenAuer · February 4, 2019, 10:28pm

PS: Two days before:

ishanashivam · February 4, 2019, 10:51pm

Thanks for the swift response. When I checked my instance config in AWS, I see that it does have a public ipv4 address.

IPv4 Public IP
18.218.212.200

I also see that this is the ipv4 that I had configured in my A record:
A 18.218.212.200

Is there anything else I need to do to make it public and available?

JuergenAuer · February 4, 2019, 10:57pm

Using nslookup I don’t see your IP:

D:\temp>nslookup nithyasanghachat.org.  ns-1265.awsdns-30.org.
Server:  UnKnown
Address:  205.251.196.241

Name:    nithyasanghachat.org

The nameserver used is from https://check-your-website.server-daten.de/?q=nithyasanghachat.org - so it’s your name server.

I don’t know if these amazon nameservers are slow.

Oh - checking SOA they are slow:

D:\temp>nslookup -type=SOA nithyasanghachat.org.  ns-1265.awsdns-30.org.
Server:  UnKnown
Address:  205.251.196.241

nithyasanghachat.org
        primary name server = ns-1937.awsdns-50.co.uk
        responsible mail addr = awsdns-hostmaster.amazon.com
        serial  = 1
        refresh = 7200 (2 hours)
        retry   = 900 (15 mins)
        expire  = 1209600 (14 days)
        default TTL = 86400 (1 day)
nithyasanghachat.org    nameserver = ns-1265.awsdns-30.org
nithyasanghachat.org    nameserver = ns-1937.awsdns-50.co.uk
nithyasanghachat.org    nameserver = ns-383.awsdns-47.com
nithyasanghachat.org    nameserver = ns-842.awsdns-41.net

ishanashivam · February 6, 2019, 6:11am

Ok, I installed certbot and attempted to perform DNS challenge instead of the HTTP challenge. I had also setup an AWS user who has access to change record sets in Route-53. Then I setup those credentials in ubuntu VM to be used by certbot.

But now, I get this error:

DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.nithyasanghachat.org

Is there anything else that I need to do in AWS Route-53 config for the DNS challenge to succeed?

_az · February 6, 2019, 6:13am

What’s the Certbot command you used, and what’s the full output of the command?

That’s an odd outcome (if it was configured correctly).

ishanashivam · February 6, 2019, 6:17am

This was the command:

sudo certbot certonly -d nithyasanghachat.org -d *.nithyasanghachat.org --dns-route53 -m ishanashivam57@mail.com --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.org/directory

This was the output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for nithyasanghachat.org
dns-01 challenge for nithyasanghachat.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. nithyasanghachat.org (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nithyasanghachat.org, nithyasanghachat.org (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nithyasanghachat.org

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: nithyasanghachat.org
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.nithyasanghachat.org

Domain: nithyasanghachat.org
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.nithyasanghachat.org

mnordhoff · February 6, 2019, 6:21am

There are two Route 53 hosted zones for nithyasanghachat.org..

They both have these authoritative NS records:

nithyasanghachat.org.  172800  NS  ns-383.awsdns-47.com.
nithyasanghachat.org.  172800  NS  ns-842.awsdns-41.net.
nithyasanghachat.org.  172800  NS  ns-1265.awsdns-30.org.
nithyasanghachat.org.  172800  NS  ns-1937.awsdns-50.co.uk.

But one is in fact hosted on ns-1766.awsdns-28.co.uk. and 3 other com, net and org nameservers.

Certbot might be finding and modifying the hosted zone that isn’t in active use.

ishanashivam · February 6, 2019, 6:32am

Wow, I dont know why Route-53 registrar created one more HostedZone, while I was creating one.
In any case, I deleted the HostedZone in whose config I kept adding recordsets.

Now when I ran the same command, my certificate got created. Yay!!!
Thanks for that valuable pointer.

system · March 8, 2019, 6:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.