DNS problem: NXDOMAIN looking up A for domain

Nonni · September 12, 2017, 4:32pm

I ran this command: sudo certbot certonly --standalone --email mygashi@domain.com -d jester.gashiandkinks.com

It produced this output: Failed authorization procedure. jester.gashiandkinks.com (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for jester.gashiandkinks.com

My web server is (include version): Winstone

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: aws

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

IP address was not publicly accessible at first but another issue posted on here lead me to current that mistake by making IP publicly accessible.

Now when I run the sudo certbot certonly --standalone --email mygashi@domain.com -d jester.gashiandkinks.com with --dry-run option I still get the same error:

Failed authorization procedure. jester.gashiandkinks.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for jester.gashiandkinks.com

I expect different results because IP is now publicly accessible. Is this assumption correct?

jared.m · September 12, 2017, 4:43pm

One of your authoritative nameservers for that domain returns NXDOMAIN when queried for the jester subdomain. I believe Let’s Encrypt picks a random authoritative nameserver, but it’s possible they now ask all nameservers. I’d investigate why ns-1676.awsdns-17.co.uk is returning NXDOMAIN and go from there.

sahsanu · September 12, 2017, 5:04pm

Maybe it is related to a propagation issue on Route 53 service https://status.aws.amazon.com/

Screenshot only shows Noth America region but all the regions are having the same problems.

Cheers,
sahsanu

jared.m · September 12, 2017, 5:27pm

That shouldn’t affect it, unless this is a new DNS record, and Route 53 propagates to other Route 53 resolvers.

sahsanu · September 12, 2017, 5:44pm

Maybe, but now all servers return the right info

$ dig @ns-1320.awsdns-37.org jester.gashiandkinks.com +short
18.220.10.64
$ dig @ns-1676.awsdns-17.co.uk jester.gashiandkinks.com +short
18.220.10.64
$ dig @ns-72.awsdns-09.com jester.gashiandkinks.com +short
18.220.10.64
$ dig @ns-871.awsdns-44.net jester.gashiandkinks.com +short 
18.220.10.64

Nonni · September 12, 2017, 5:52pm

Thank you for helping trouble shoot. Appreciate your feedback. Issue is resolved now. Probably had to do with the DNS propagation.

sahsanu · September 12, 2017, 6:09pm

You are welcome but @jared.m did the trouble shoot, he detected an issue with one of your name servers… I just checked the amazon status page

Nonni · September 12, 2017, 6:21pm

Thank you @jared.m

system · October 12, 2017, 6:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.