DNS problem: NXDOMAIN looking up A for domain name


#1

Hi,

I’m trying to generate cert for my domain (www.nithyasanghachat.org) and I get this error:

The following errors were reported by the server:
Domain: www.nithyasanghachat.org
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
www.nithyasanghachat.org

Env:

  • My Ubuntu 14.04 instance is running on Amazon AWS EC2,
  • I had setup RecordSets in Route 53 as per documentation,
  • I have set my Elastic IP as the A record.
  • I have registered my domain name and got a confirmation as well
  • I’m trying to setup RocketChat in this Ubuntu instance as per their documentation (RocketChat letsencrypt step) and got stuck on this step # 4
  • I tested my domain in https://unboundtest.com/ and got this response:
    Response:
    ;; opcode: QUERY, status: NOERROR, id: 41305
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

Kindly help me resolve this issue.

Thanks,
Shiv


#2

Hi @ishanashivam

there is no public visible ip address ( https://check-your-website.server-daten.de/?q=nithyasanghachat.org ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
nithyasanghachat.org A yes 1 0
AAAA yes
www.nithyasanghachat.org Name Error yes 1 0

And Unboundtest doesn’t find an answer:

ANSWER: 0

Answer 1 is required.


#3

PS: Two days before:


#4

Thanks for the swift response. When I checked my instance config in AWS, I see that it does have a public ipv4 address.

IPv4 Public IP
18.218.212.200

I also see that this is the ipv4 that I had configured in my A record:
A 18.218.212.200

Is there anything else I need to do to make it public and available?


#5

Using nslookup I don’t see your IP:

D:\temp>nslookup nithyasanghachat.org.  ns-1265.awsdns-30.org.
Server:  UnKnown
Address:  205.251.196.241

Name:    nithyasanghachat.org

The nameserver used is from https://check-your-website.server-daten.de/?q=nithyasanghachat.org - so it’s your name server.

I don’t know if these amazon nameservers are slow.

Oh - checking SOA they are slow:

D:\temp>nslookup -type=SOA nithyasanghachat.org.  ns-1265.awsdns-30.org.
Server:  UnKnown
Address:  205.251.196.241

nithyasanghachat.org
        primary name server = ns-1937.awsdns-50.co.uk
        responsible mail addr = awsdns-hostmaster.amazon.com
        serial  = 1
        refresh = 7200 (2 hours)
        retry   = 900 (15 mins)
        expire  = 1209600 (14 days)
        default TTL = 86400 (1 day)
nithyasanghachat.org    nameserver = ns-1265.awsdns-30.org
nithyasanghachat.org    nameserver = ns-1937.awsdns-50.co.uk
nithyasanghachat.org    nameserver = ns-383.awsdns-47.com
nithyasanghachat.org    nameserver = ns-842.awsdns-41.net

#6

Ok, I installed certbot and attempted to perform DNS challenge instead of the HTTP challenge. I had also setup an AWS user who has access to change record sets in Route-53. Then I setup those credentials in ubuntu VM to be used by certbot.

But now, I get this error:

DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.nithyasanghachat.org

Is there anything else that I need to do in AWS Route-53 config for the DNS challenge to succeed?


#7

What’s the Certbot command you used, and what’s the full output of the command?

That’s an odd outcome (if it was configured correctly).


#8

This was the command:

sudo certbot certonly -d nithyasanghachat.org -d *.nithyasanghachat.org --dns-route53 -m ishanashivam57@mail.com --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.org/directory

This was the output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for nithyasanghachat.org
dns-01 challenge for nithyasanghachat.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. nithyasanghachat.org (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nithyasanghachat.org, nithyasanghachat.org (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nithyasanghachat.org

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: nithyasanghachat.org
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.nithyasanghachat.org

    Domain: nithyasanghachat.org
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.nithyasanghachat.org


#9

There are two Route 53 hosted zones for nithyasanghachat.org..

They both have these authoritative NS records:

nithyasanghachat.org.  172800  NS  ns-383.awsdns-47.com.
nithyasanghachat.org.  172800  NS  ns-842.awsdns-41.net.
nithyasanghachat.org.  172800  NS  ns-1265.awsdns-30.org.
nithyasanghachat.org.  172800  NS  ns-1937.awsdns-50.co.uk.

But one is in fact hosted on ns-1766.awsdns-28.co.uk. and 3 other com, net and org nameservers.

Certbot might be finding and modifying the hosted zone that isn’t in active use.


#10

Wow, I dont know why Route-53 registrar created one more HostedZone, while I was creating one.
In any case, I deleted the HostedZone in whose config I kept adding recordsets.

Now when I ran the same command, my certificate got created. Yay!!!
Thanks for that valuable pointer.


closed #11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.