DNS problem: NXDOMAIN looking up A for


#1

The first installation of certificate ran smoothly, but when I’m trying to dry-run certificate renewal it always ends with an error:

Attempting to renew cert (img.webumenia.sk) from /etc/letsencrypt/renewal/img.webumenia.sk.conf produced an unexpected error: Failed authorization procedure. img.webumenia.sk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for img.webumenia.sk. Skipping.
The following certs could not be renewed:
 /etc/letsencrypt/live/img.webumenia.sk/fullchain.pem (failure)

Renewal of another subdomain (vampart.webumenia.sk) causes no such problem.
Thanks for your help!


#2

Hi @chyno

you have a curious configuration ( https://check-your-website.server-daten.de/?q=img.webumenia.sk ):

Your nameserver answers with a Refused, but there is a non-authoritative IP-address.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
img.webumenia.sk A 37.9.170.240 yes 1 0
AAAA yes
www.img.webumenia.sk Refused yes 1 0
www.img.webumenia.sk A 37.9.170.240 no

Two nameservers doesn’t support TCP, that’s terrible:

X Fatal error: Nameserver doesn’t support TCP connection: auth1.ns.swan.sk: Refused
X Fatal error: Nameserver doesn’t support TCP connection: auth4.ns.swan.sk: Refused

Authoritative nameservers must support TCP-connections.

Checking CAA entries doesn’t work:

Domainname flag Name Value ∑ Queries ∑ Timeout
img.webumenia.sk -5 Refused - The name server refuses to perform the specified operation for policy reasons 1 0
webumenia.sk -5 Refused - The name server refuses to perform the specified operation for policy reasons 1 0

That’s critical.

But: You have a new Letsencrypt certificate, created today:

CN=img.webumenia.sk
	24.03.2019
	22.06.2019
expires in 90 days	img.webumenia.sk - 1 entry

and visible via CT-Logs:

CRT-Id	Issuer	not before	not after	Domain names	LE-Duplicate
1311084325
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-03-24 05:18:42
	2019-06-22 04:18:42
	img.webumenia.sk
	no duplicate

Result:

  • You have a valid certificate, so use it the next 60 - 85 days
  • Your nameservers are terrible. Perhaps it’s a bad DDOS-protection. And if you try --dry-run, that hit’s the DDOS-protection.

So ignore the dry-run - result.


#3

Thank you, @JuergenAuer ! It really works with forced renewal. I’ll pass your findings to the authorities.


closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.