DNS problem: NXDOMAIN looking up

BrunoFelipeAlbuquerq · July 31, 2017, 3:06pm

I ran this command: sudo certbot --apache

It produced this output:

Failed authorization procedure. sistema.celso.edu (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for sistema.celso.edu

When I run

dig sistema.celso.edu

; <<>> DiG 9.9.5-3ubuntu0.6-Ubuntu <<>> sistema.celso.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22251
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sistema.celso.edu. IN A

;; AUTHORITY SECTION:
edu. 853 IN SOA a.edu-servers.net. nstld.verisign-grs.com. 1501513184 1800 900 604800 86400

;; Query time: 9 msec
;; SERVER: 179.107.35.140#53(179.107.35.140)
;; WHEN: Mon Jul 31 12:00:50 BRT 2017
;; MSG SIZE rcvd: 121

I'm really bumping my head to resolve this, but with no avail.

cpu · July 31, 2017, 3:22pm

Hi @BrunoFelipeAlbuquerq,

DNS problems are very tricky to remotely diagnose without knowing the domain name!

Your test dig is showing the same thing that the error message from the Let's Encrypt validation authority is saying: You asked your recursive resolver to lookup the A record for "example.com" and got back no answers (NXDOMAIN).

It's hard to know more without being able to deduce what the domain's authoritative nameserver is & interrogate it.

I would double check that you have created the A/AAAA records for this domain correctly in your authoritative DNS zone since at present they seem to be missing.

Hope that helps!

BrunoFelipeAlbuquerq · July 31, 2017, 4:53pm

I edited my question with the reelevant info.

cpu · July 31, 2017, 5:01pm

Thanks @BrunoFelipeAlbuquerq, that’s helpful!

It seems like the parent “celso.edu” domain doesn’t exist in the .edu nameservers. I get an NXDOMAIN for it.

You won’t be able to issue certificates for “celso.edu” or “sistema.celso.edu” until the DNS records exist.

BrunoFelipeAlbuquerq · July 31, 2017, 5:21pm

Looks like this DNS is only for internal use. I really don’t know much about this stuff.

cpu · July 31, 2017, 5:22pm

Aha. That would explain the trouble. Let's Encrypt is only able to issue for domains that are part of the public DNS. We can't issue for domains that only exist in your internal split-horizon DNS.

system · August 30, 2017, 5:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.