DNS problem: NXDOMAIN looking up A for hostname.mydomain.tld

Hello,

I’m playing with certbot to collect some confidence before to put it into production. A month and some days ago I successfully issued a certificate for certeval.mishinev.net. Now, when I’m trying to renew the certificate, certbot report this error.

[root@certeval ~]# certbot renew --staging --force-renewal --preferred-challenges http
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/certeval.mishinev.net.conf

Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for certeval.mishinev.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (certeval.mishinev.net) from /etc/letsencrypt/renewal/certeval.mishinev.net.conf produced an unexpected error: Failed authorization procedure. certeval.mishinev.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for certeval.mishinev.net. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/certeval.mishinev.net/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/certeval.mishinev.net/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: certeval.mishinev.net
  Type: connection
  Detail: DNS problem: NXDOMAIN looking up A for
  certeval.mishinev.net

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.
  [root@certeval ~]#

There are no changes in the DNS records of the domain since the first certificate was issued. Here is what google DNS returns for the host:

[root@certeval letsencrypt]# dig +short A certeval.mishinev.net @8.8.8.8
193.68.134.129
[root@certeval letsencrypt]# dig +short A certeval.mishinev.net @8.8.4.4
193.68.134.129
[root@certeval letsencrypt]#

and here is the content of letsencrypt.log:

2018-01-24 10:27:21,520:DEBUG:certbot.main:certbot version: 0.20.0
2018-01-24 10:27:21,520:DEBUG:certbot.main:Arguments: [’–staging’, ‘–force-renewal’, ‘–preferred-challenges’, ‘http’]
2018-01-24 10:27:21,520:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-01-24 10:27:21,537:DEBUG:certbot.log:Root logging level set at 20
2018-01-24 10:27:21,537:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-01-24 10:27:21,556:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x225e710> and installer <certbot.cli._Default object at 0x225e710>
2018-01-24 10:27:21,556:DEBUG:certbot.cli:Default Detector is Namespace(account=<certbot.cli._Default object at 0x2138410>, agree_dev_preview=None, allow_subset_of_names=<certbot.cli._Default object at 0x2138810>, apache=<certbot.cli._Default object at 0x225ea10>, authenticator=<certbot.cli._Default object at 0x225e710>, break_my_certs=<certbot.cli._Default object at 0x225da50>, cert_path=<certbot.cli._Default object at 0x2258910>, certname=<certbot.cli._Default object at 0x2139990>, chain_path=<certbot.cli._Default object at 0x225e210>, checkpoints=<certbot.cli._Default object at 0x2139d90>, config_dir=<certbot.cli._Default object at 0x225e310>, config_file=None, configurator=<certbot.cli._Default object at 0x225e710>, csr=<certbot.cli._Default object at 0x2139790>, debug=<certbot.cli._Default object at 0x225d350>, debug_challenges=<certbot.cli._Default object at 0x225d450>, deploy_hook=<certbot.cli._Default object at 0x2131a50>, dialog=None, directory_hooks=<certbot.cli._Default object at 0x2138690>, dns_cloudflare=<certbot.cli._Default object at 0x225ef10>, dns_cloudxns=<certbot.cli._Default object at 0x2261050>, dns_digitalocean=<certbot.cli._Default object at 0x2261150>, dns_dnsimple=<certbot.cli._Default object at 0x2261250>, dns_dnsmadeeasy=<certbot.cli._Default object at 0x2261350>, dns_google=<certbot.cli._Default object at 0x2261450>, dns_luadns=<certbot.cli._Default object at 0x2261550>, dns_nsone=<certbot.cli._Default object at 0x2261650>, dns_rfc2136=<certbot.cli._Default object at 0x2261750>, dns_route53=<certbot.cli._Default object at 0x2261850>, domains=<certbot.cli._Default object at 0x2139b10>, dry_run=<certbot.cli._Default object at 0x2139810>, duplicate=<certbot.cli._Default object at 0x2138050>, eff_email=<certbot.cli._Default object at 0x2139210>, email=<certbot.cli._Default object at 0x2139390>, expand=<certbot.cli._Default object at 0x2138d50>, force_interactive=<certbot.cli._Default object at 0x2139c90>, fullchain_path=<certbot.cli._Default object at 0x2258f50>, func=<function renew at 0x1fd98c0>, hsts=<certbot.cli._Default object at 0x225df50>, http01_address=<certbot.cli._Default object at 0x225d950>, http01_port=<certbot.cli._Default object at 0x225d850>, ifaces=<certbot.cli._Default object at 0x2258350>, init=<certbot.cli._Default object at 0x213b0d0>, installer=<certbot.cli._Default object at 0x225e710>, key_path=<certbot.cli._Default object at 0x2258c50>, logs_dir=<certbot.cli._Default object at 0x225e510>, manual=<certbot.cli._Default object at 0x225ed10>, manual_auth_hook=<certbot.cli._Default object at 0x2261990>, manual_cleanup_hook=<certbot.cli._Default object at 0x2261ad0>, manual_public_ip_logging_ok=<certbot.cli._Default object at 0x2261bd0>, max_log_backups=<certbot.cli._Default object at 0x2139f90>, must_staple=<certbot.cli._Default object at 0x225dc50>, nginx=<certbot.cli._Default object at 0x225eb10>, nginx_ctl=<certbot.cli._Default object at 0x2261e10>, nginx_server_root=<certbot.cli._Default object at 0x2261950>, no_bootstrap=<certbot.cli._Default object at 0x225d050>, no_self_upgrade=<certbot.cli._Default object at 0x2131dd0>, no_verify_ssl=<certbot.cli._Default object at 0x225d550>, noninteractive_mode=<certbot.cli._Default object at 0x2139e10>, num=<certbot.cli._Default object at 0x2138e50>, os_packages_only=<certbot.cli._Default object at 0x2131b90>, post_hook=<certbot.cli._Default object at 0x225d310>, pre_hook=<certbot.cli._Default object at 0x225d510>, pref_challs=‘http’, prepare=<certbot.cli._Default object at 0x213b3d0>, quiet=<certbot.cli._Default object at 0x225d150>, reason=<certbot.cli._Default object at 0x2139a90>, redirect=<certbot.cli._Default object at 0x225dd50>, register_unsafely_without_email=<certbot.cli._Default object at 0x2139690>, reinstall=<certbot.cli._Default object at 0x2138ed0>, renew_by_default=True, renew_hook=<certbot.cli._Default object at 0x225d110>, renew_with_new_domains=<certbot.cli._Default object at 0x21389d0>, rsa_key_size=<certbot.cli._Default object at 0x225db50>, server=<certbot.cli._Default object at 0x225e610>, staging=True, standalone=<certbot.cli._Default object at 0x225ec10>, standalone_supported_challenges=<certbot.cli._Default object at 0x2261f10>, staple=<certbot.cli._Default object at 0x225dd10>, strict_permissions=<certbot.cli._Default object at 0x225d910>, text_mode=<certbot.cli._Default object at 0x213b150>, tls_sni_01_address=<certbot.cli._Default object at 0x225d750>, tls_sni_01_port=<certbot.cli._Default object at 0x225d650>, tos=<certbot.cli._Default object at 0x2138590>, uir=<certbot.cli._Default object at 0x225e190>, update_registration=<certbot.cli._Default object at 0x2139510>, user_agent=<certbot.cli._Default object at 0x2139190>, user_agent_comment=<certbot.cli._Default object at 0x2139450>, validate_hooks=<certbot.cli._Default object at 0x2138390>, verb=‘renew’, verbose_count=<certbot.cli._Default object at 0x213b2d0>, webroot=<certbot.cli._Default object at 0x225ee10>, webroot_map=<certbot.cli._Default object at 0x2262150>, webroot_path=<certbot.cli._Default object at 0x2261d10>, work_dir=<certbot.cli._Default object at 0x225e410>)
2018-01-24 10:27:21,558:DEBUG:certbot.renewal:Auto-renewal forced with --force-renewal…
2018-01-24 10:27:21,560:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2018-01-24 10:27:21,577:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x213b690>
Prep: True
2018-01-24 10:27:21,577:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x213b690> and installer None
2018-01-24 10:27:21,577:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2018-01-24 10:27:21,604:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u’mailto:stoyan.mishinev@gmail.com’,), agreement=u’https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x16f0cd0>)>)), uri=u’https://acme-staging.api.letsencrypt.org/acme/reg/5248369’, new_authzr_uri=u’https://acme-staging.api.letsencrypt.org/acme/new-authz’, terms_of_service=u’https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’), bbb301070a3c30e1588cbe89dcca6203, Meta(creation_host=u’localhost.localdomain’, creation_dt=datetime.datetime(2017, 12, 18, 19, 28, 32, tzinfo=)))>
2018-01-24 10:27:21,609:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/directory.
2018-01-24 10:27:21,612:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2018-01-24 10:27:22,583:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 582
2018-01-24 10:27:22,584:DEBUG:acme.client:Received response:
HTTP 200
content-length: 582
expires: Wed, 24 Jan 2018 10:27:22 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Wed, 24 Jan 2018 10:27:22 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 4UJFwef0vwjHWndLOgrSZG2eb_d9V8vb-VB2gjuhR60

{
“RLOG8ugXqm4”: “Adding random entries to the directory”,
“key-change”: “https://acme-staging.api.letsencrypt.org/acme/key-change”,
“meta”: {
“terms-of-service”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”
},
“new-authz”: “https://acme-staging.api.letsencrypt.org/acme/new-authz”,
“new-cert”: “https://acme-staging.api.letsencrypt.org/acme/new-cert”,
“new-reg”: “https://acme-staging.api.letsencrypt.org/acme/new-reg”,
“revoke-cert”: “https://acme-staging.api.letsencrypt.org/acme/revoke-cert”
}
2018-01-24 10:27:22,584:INFO:certbot.main:Renewing an existing certificate
2018-01-24 10:27:22,586:DEBUG:acme.client:Requesting fresh nonce
2018-01-24 10:27:22,586:DEBUG:acme.client:Sending HEAD request to https://acme-staging.api.letsencrypt.org/acme/new-authz.
2018-01-24 10:27:22,913:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-authz HTTP/1.1” 405 0
2018-01-24 10:27:22,914:DEBUG:acme.client:Received response:
HTTP 405
content-length: 91
pragma: no-cache
expires: Wed, 24 Jan 2018 10:27:22 GMT
server: nginx
connection: keep-alive
allow: POST
cache-control: max-age=0, no-cache, no-store
date: Wed, 24 Jan 2018 10:27:22 GMT
content-type: application/problem+json
replay-nonce: J7IEfvy_JIUKE4esJPbCyCyDVaziMJO3imvxuPzhMWc

2018-01-24 10:27:22,914:DEBUG:acme.client:Storing nonce: J7IEfvy_JIUKE4esJPbCyCyDVaziMJO3imvxuPzhMWc
2018-01-24 10:27:22,915:DEBUG:acme.client:JWS payload:
{
“identifier”: {
“type”: “dns”,
“value”: “certeval.mishinev.net”
},
“resource”: “new-authz”
}
2018-01-24 10:27:22,919:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-authz:
{
“protected”: “eyJub25jZSI6ICJKN0lFZnZ5X0pJVUtFNGVzSlBiQ3lDeURWYXppTUpPM2ltdnh1UHpoTVdjIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiOTlIdlppZ3RmTGJTT01qa1hMMHl4Y3JENW9EUUpZNF8yeUxsQzl6YURETWxwaTFtY1AyT21hNEYtUXloUWRyN0d0bFdFcWp3SjRzX25YbVNKZ0xLLURjLXEzR0RBd1FXR3RWdkltWHMxanFxT3BNclVxcGU3RnJGRm9UcUJLMnJseGlaV3R3Rk8zc2tGY3BYSFZDQzhGc3JpMnZ4c1FBODVnY3FJTW9CQjNfbExaLVJXNUh2ZmNhaEZZaFpSNmFQWGVISGYtV0lobHBWbDdSZkpOVE1DRHZUWVAxTVM4VGNlVThkaTY2VVc5TzVubW10Y283UHlfVldBejNOTF9RYlZtSV9VdkxNaVpMcUFqLVN1YWN5R2twYTYxTFE5d0EzV0RsMWpDOTBzUWh2LVQ5ZkpPQlJhYWc2NTFVY19LV1dFaU9GbGFBRW9RczE0cDd4ZTdhODRRIn19”,
“payload”: “ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiY2VydGV2YWwubWlzaGluZXYubmV0IgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0”,
“signature”: “hZyrHTkw2g2m4mk6600D5XvOnxei3REw4Nscv4aarhzuwAHjMfi04ekpg7cbaNpaiPAbQuVPXbe9_MYT2vynpLeMRrn8zVpWxYNj86G9IdzY4vmedm_8R7_uhlBWUfie4TwuyrqZexFYR7q2BfDnAk1i-ddKFECCY5EYw4xePAAezzzuzXNzSgzhkNtB6bb9jP8ITPqfUqvLgK4o47f_eg-4xXV1Y51TADDUGMq4T-5l5ANMrEO6Il8cqqC4TNONaZiyCBxN3t6h66J-DD1wrGRIIyXd6OtG1nP2892CLOvw4Iwl2Tqh6Wp09mX448HEK-VPbbZ3sMFv3_FDXDhCOg”
}
2018-01-24 10:27:23,560:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-authz HTTP/1.1” 201 1015
2018-01-24 10:27:23,561:DEBUG:acme.client:Received response:
HTTP 201
content-length: 1015
expires: Wed, 24 Jan 2018 10:27:23 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
location: https://acme-staging.api.letsencrypt.org/acme/authz/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM
pragma: no-cache
boulder-requester: 5248369
date: Wed, 24 Jan 2018 10:27:23 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: v7hUTbhWIT0CH3t5a2ALS_F-chokrLx9h_IV4HiLCzM

{
“identifier”: {
“type”: “dns”,
“value”: “certeval.mishinev.net”
},
“status”: “pending”,
“expires”: “2018-01-31T10:27:23.247068311Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393326”,
“token”: “HaAtvHxW5LyfX9FbUmY4YBAsRiFoJnhzd7MBPFnjPsY”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393327”,
“token”: “bKjIwRA8XG42xfXEN_phMLMiz6xK53pSH3xX0JASrB8”
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393328”,
“token”: “xXM18lCCBNwkSKAbV2iL3-cCQyxX1gG6Qh8nw5n04nQ”
}
],
“combinations”: [
[
1
],
[
0
],
[
2
]
]
}
2018-01-24 10:27:23,561:DEBUG:acme.client:Storing nonce: v7hUTbhWIT0CH3t5a2ALS_F-chokrLx9h_IV4HiLCzM
2018-01-24 10:27:23,562:INFO:certbot.auth_handler:Performing the following challenges:
2018-01-24 10:27:23,562:INFO:certbot.auth_handler:http-01 challenge for certeval.mishinev.net
2018-01-24 10:27:23,563:DEBUG:acme.standalone:Failed to bind to :80 using IPv4
2018-01-24 10:27:23,568:INFO:certbot.auth_handler:Waiting for verification…
2018-01-24 10:27:23,568:DEBUG:acme.client:JWS payload:
{
“keyAuthorization”: “HaAtvHxW5LyfX9FbUmY4YBAsRiFoJnhzd7MBPFnjPsY.H9p95jEPUdc-33doP9IgDy0ZKq4d5jdwCok-qozXTxE”,
“type”: “http-01”,
“resource”: “challenge”
}
2018-01-24 10:27:23,570:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393326:
{
“protected”: “eyJub25jZSI6ICJ2N2hVVGJoV0lUMENIM3Q1YTJBTFNfRi1jaG9rckx4OWhfSVY0SGlMQ3pNIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiOTlIdlppZ3RmTGJTT01qa1hMMHl4Y3JENW9EUUpZNF8yeUxsQzl6YURETWxwaTFtY1AyT21hNEYtUXloUWRyN0d0bFdFcWp3SjRzX25YbVNKZ0xLLURjLXEzR0RBd1FXR3RWdkltWHMxanFxT3BNclVxcGU3RnJGRm9UcUJLMnJseGlaV3R3Rk8zc2tGY3BYSFZDQzhGc3JpMnZ4c1FBODVnY3FJTW9CQjNfbExaLVJXNUh2ZmNhaEZZaFpSNmFQWGVISGYtV0lobHBWbDdSZkpOVE1DRHZUWVAxTVM4VGNlVThkaTY2VVc5TzVubW10Y283UHlfVldBejNOTF9RYlZtSV9VdkxNaVpMcUFqLVN1YWN5R2twYTYxTFE5d0EzV0RsMWpDOTBzUWh2LVQ5ZkpPQlJhYWc2NTFVY19LV1dFaU9GbGFBRW9RczE0cDd4ZTdhODRRIn19”,
“payload”: “ewogICJrZXlBdXRob3JpemF0aW9uIjogIkhhQXR2SHhXNUx5Zlg5RmJVbVk0WUJBc1JpRm9Kbmh6ZDdNQlBGbmpQc1kuSDlwOTVqRVBVZGMtMzNkb1A5SWdEeTBaS3E0ZDVqZHdDb2stcW96WFR4RSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,
“signature”: “lqXgEZ5hGiTlFnMwH7_SZO3WmDeGwVXH3-nbKDgs8ZaJyrtpEP9kLuD8ZXBMQuwqZo6PqmPhg-kkiBJUyaxh7eQC8I-NylS2kd1TsKsd88LYNyU-TGjvKz8YmRlcjE9cfUdnsiSGvipzDzYdW3HLWgnnq-f4y8c4K3U1MNJXq-bBINgfOGSj_K1I46NOQu5Qbn3BZtQkYV29FmMyoPrqa09WwdeBzNad0N-NvV_i-hBlNn3Ad8LXOm42lQGfHZpQRNxSzi6HTYXdP3zWZ_TXp-WQVew5tOJYmsusiWNjRx2hlGP3CH75_3lndiHWA04Wdxct3X8CiDQfoFvJLh3GKQ”
}
2018-01-24 10:27:24,078:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393326 HTTP/1.1” 202 338
2018-01-24 10:27:24,079:DEBUG:acme.client:Received response:
HTTP 202
content-length: 338
cache-control: max-age=0, no-cache, no-store
expires: Wed, 24 Jan 2018 10:27:23 GMT
server: nginx
connection: keep-alive
link: https://acme-staging.api.letsencrypt.org/acme/authz/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM;rel="up"
location: https://acme-staging.api.letsencrypt.org/acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393326
pragma: no-cache
boulder-requester: 5248369
date: Wed, 24 Jan 2018 10:27:23 GMT
content-type: application/json
replay-nonce: NCgGtvmxlSBxMLMu5wVyNwSuQtLX_Et6Rk-ihW_Jmxs

{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393326”,
“token”: “HaAtvHxW5LyfX9FbUmY4YBAsRiFoJnhzd7MBPFnjPsY”,
“keyAuthorization”: “HaAtvHxW5LyfX9FbUmY4YBAsRiFoJnhzd7MBPFnjPsY.H9p95jEPUdc-33doP9IgDy0ZKq4d5jdwCok-qozXTxE”
}
2018-01-24 10:27:24,079:DEBUG:acme.client:Storing nonce: NCgGtvmxlSBxMLMu5wVyNwSuQtLX_Et6Rk-ihW_Jmxs
2018-01-24 10:27:27,084:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM.
2018-01-24 10:27:27,463:DEBUG:requests.packages.urllib3.connectionpool:“GET /acme/authz/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM HTTP/1.1” 200 1122
2018-01-24 10:27:27,464:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1122
expires: Wed, 24 Jan 2018 10:27:27 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Wed, 24 Jan 2018 10:27:27 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: iiLzePbhdKwmIYx71fv5Ot-8XAYYsyCh1U52DwZ3gKM

{
“identifier”: {
“type”: “dns”,
“value”: “certeval.mishinev.net”
},
“status”: “pending”,
“expires”: “2018-01-31T10:27:23Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393326”,
“token”: “HaAtvHxW5LyfX9FbUmY4YBAsRiFoJnhzd7MBPFnjPsY”,
“keyAuthorization”: “HaAtvHxW5LyfX9FbUmY4YBAsRiFoJnhzd7MBPFnjPsY.H9p95jEPUdc-33doP9IgDy0ZKq4d5jdwCok-qozXTxE”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393327”,
“token”: “bKjIwRA8XG42xfXEN_phMLMiz6xK53pSH3xX0JASrB8”
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393328”,
“token”: “xXM18lCCBNwkSKAbV2iL3-cCQyxX1gG6Qh8nw5n04nQ”
}
],
“combinations”: [
[
1
],
[
0
],
[
2
]
]
}
2018-01-24 10:27:30,469:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM.
2018-01-24 10:27:30,806:DEBUG:requests.packages.urllib3.connectionpool:“GET /acme/authz/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM HTTP/1.1” 200 1640
2018-01-24 10:27:30,806:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1640
expires: Wed, 24 Jan 2018 10:27:30 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Wed, 24 Jan 2018 10:27:30 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 4y8pvPgNfJ0arLwE4dZGiOuLMGPo0l4XupdFyT-Ki_U

{
“identifier”: {
“type”: “dns”,
“value”: “certeval.mishinev.net”
},
“status”: “invalid”,
“expires”: “2018-01-31T10:27:23Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “DNS problem: NXDOMAIN looking up A for certeval.mishinev.net”,
“status”: 400
},
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393326”,
“token”: “HaAtvHxW5LyfX9FbUmY4YBAsRiFoJnhzd7MBPFnjPsY”,
“keyAuthorization”: “HaAtvHxW5LyfX9FbUmY4YBAsRiFoJnhzd7MBPFnjPsY.H9p95jEPUdc-33doP9IgDy0ZKq4d5jdwCok-qozXTxE”,
“validationRecord”: [
{
“url”: “http://certeval.mishinev.net/.well-known/acme-challenge/HaAtvHxW5LyfX9FbUmY4YBAsRiFoJnhzd7MBPFnjPsY”,
“hostname”: “certeval.mishinev.net”,
“port”: “80”,
“addressesResolved”: [],
“addressUsed”: “”,
“addressesTried”: []
}
]
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393327”,
“token”: “bKjIwRA8XG42xfXEN_phMLMiz6xK53pSH3xX0JASrB8”
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/gcPPgT29vkhitRheP70EwMusSHKIA8NCvs4QS9FssFM/95393328”,
“token”: “xXM18lCCBNwkSKAbV2iL3-cCQyxX1gG6Qh8nw5n04nQ”
}
],
“combinations”: [
[
1
],
[
0
],
[
2
]
]
}
2018-01-24 10:27:30,807:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: certeval.mishinev.net
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for certeval.mishinev.net

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2018-01-24 10:27:30,807:INFO:certbot.auth_handler:Cleaning up challenges
2018-01-24 10:27:30,808:DEBUG:certbot.plugins.standalone:Stopping server at :::80…
2018-01-24 10:27:31,089:WARNING:certbot.renewal:Attempting to renew cert (certeval.mishinev.net) from /etc/letsencrypt/renewal/certeval.mishinev.net.conf produced an unexpected error: Failed authorization procedure. certeval.mishinev.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for certeval.mishinev.net. Skipping.
2018-01-24 10:27:31,090:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 425, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 743, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 80, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 297, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 318, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 81, in get_authorizations
self._respond(resp, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. certeval.mishinev.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for certeval.mishinev.net

2018-01-24 10:27:31,090:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-01-24 10:27:31,091:ERROR:certbot.renewal: /etc/letsencrypt/live/certeval.mishinev.net/fullchain.pem (failure)
2018-01-24 10:27:31,091:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.20.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 861, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 797, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 443, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

Looks like the error is now “Connection refused”, no longer NXDOMAIN.

I am curious - what did you change? I could not find an explanation for it either.

edit: Actually it appears to be fluctuating … sometimes I see this:

 - The following errors were reported by the server:                                                    
                                                                                                        
   Domain: certeval.mishinev.net                                                                        
   Type:   connection                                                                                   
   Detail: Fetching                                                                                     
   http://certeval.mishinev.net/.well-known/acme-challenge/SdV3VxmqCMckrr-uSNOYrLuwQMnpuLfE7a8ayPoMlBI:
   Connection refused

It would suggest that your DNS servers are giving inconsistent results, perhaps, because Boulder does correctly resolve it sometimes:

https://acme-staging.api.letsencrypt.org/acme/authz/cxYVO7RcOG7LIvXzzWl0pmxZRsJcZ0vwj5BFjwhyFhA

At the moment there is no web server running on this machine. I’m stopping nginx in order to use standalone authentication.

Just executed “certbot renew --staging --force-renewal --preferred-challenges http” and the result is the same

DNS problem: NXDOMAIN looking up A for certeval.mishinev.net.

But it sometimes manages to resolve it.

Are you able to do a packet capture on the nameservers, using e.g. Wireshark? To see what your nameservers are actually sending Boulder?

tshark -R "dns.qry.name contains certeval"

I don’t have tshark there. Will try to do some capture with tcpdump.

It’s a capitalization thing.

Let’s Encrypt makes DNS queries with random capitalization for security purposes.

1 of the domain’s 2 nameservers returns NXDOMAIN for names that do exist when the query is capitalized.

@mishinev, you need to fix the DNS server.

$ dig +norecurse certeval.mishinev.net @193.68.120.2

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse certeval.mishinev.net @193.68.120.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46682
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;certeval.mishinev.net.         IN      A

;; ANSWER SECTION:
certeval.mishinev.net.  3600    IN      A       193.68.134.129

;; AUTHORITY SECTION:
mishinev.net.           120     IN      NS      ns1.openintegra.com.
mishinev.net.           120     IN      NS      ns2.openintegra.com.

;; ADDITIONAL SECTION:
ns1.openintegra.com.    120     IN      A       193.68.120.2
ns2.openintegra.com.    120     IN      A       46.238.16.30

;; Query time: 139 msec
;; SERVER: 193.68.120.2#53(193.68.120.2)
;; WHEN: Wed Jan 24 10:50:27 UTC 2018
;; MSG SIZE  rcvd: 149

$ dig +norecurse certeval.mishinev.net @46.238.16.30

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse certeval.mishinev.net @46.238.16.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5641
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;certeval.mishinev.net.         IN      A

;; ANSWER SECTION:
certeval.mishinev.net.  3600    IN      A       193.68.134.129

;; AUTHORITY SECTION:
mishinev.net.           120     IN      NS      ns1.openintegra.com.
mishinev.net.           120     IN      NS      ns2.openintegra.com.

;; ADDITIONAL SECTION:
ns1.openintegra.com.    120     IN      A       193.68.120.2
ns2.openintegra.com.    120     IN      A       46.238.16.30

;; Query time: 1982 msec
;; SERVER: 46.238.16.30#53(46.238.16.30)
;; WHEN: Wed Jan 24 10:50:42 UTC 2018
;; MSG SIZE  rcvd: 149

$ dig +norecurse Certeval.Mishinev.Net @193.68.120.2

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse Certeval.Mishinev.Net @193.68.120.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50426
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;Certeval.Mishinev.Net.         IN      A

;; AUTHORITY SECTION:
Mishinev.Net.           120     IN      SOA     ns1.openintegra.com.Mishinev.Net. ns2.openintegra.com.Mishinev.Net. 2018012401 28800 7200 604800 86400

;; Query time: 136 msec
;; SERVER: 193.68.120.2#53(193.68.120.2)
;; WHEN: Wed Jan 24 11:06:50 UTC 2018
;; MSG SIZE  rcvd: 110

$ dig +norecurse Certeval.Mishinev.Net @46.238.16.30

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse Certeval.Mishinev.Net @46.238.16.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38347
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;Certeval.Mishinev.Net.         IN      A

;; ANSWER SECTION:
Certeval.Mishinev.Net.  3600    IN      A       193.68.134.129

;; AUTHORITY SECTION:
Mishinev.Net.           120     IN      NS      ns2.openintegra.com.
Mishinev.Net.           120     IN      NS      ns1.openintegra.com.

;; ADDITIONAL SECTION:
ns1.openintegra.com.    120     IN      A       193.68.120.2
ns2.openintegra.com.    120     IN      A       46.238.16.30

;; Query time: 361 msec
;; SERVER: 46.238.16.30#53(46.238.16.30)
;; WHEN: Wed Jan 24 11:06:53 UTC 2018
;; MSG SIZE  rcvd: 149

Wow. I had remarkably bad luck with unboundtest (which does use rAndOm capitalization), managed to hit a successful result over quite a number of tries.

Great thanks for this finding. Unfortunately, the problematic DNS server works on a very old machine and there isn’t much to be done. I’ll check if there is some workaround for this archaic version 9.3.6. of bind and if there isn’t I’ll just remove it from the list of name servers for the domain until the tests are done.

Once again thank you for your help!

The problematic DNS server was removed from zone and renewal passed with no problems.

The case is closed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.