DNS problem: query timed out looking up A for <mydomain.com>


#1

I have implemented my own ACME client and it is running on Apache Tomcat/8.0.44 in CentOS Linux release 7.3.1611. I’m using the production API for management operations. Its been working for more than a year and have bought hundred of certificates until now.
Currently getting the below error:
error: {
“type”: “urn:acme:error:connection”,
“detail”: “DNS problem: query timed out looking up A for mydomain.com”,
“status”: 400
}

Similar kind of issue has been previously reported by many and told as issue in Let’s Encrypt DNS Server.
But I’m facing the same error for 8 days when LE server is validating my control over domain through http-01 DCV.
I’m getting the file content while accessing the path mentioned by LE for validating the domain.

Kindly confirm us if there is some issue existing in LE DNS or myself making any mistake regarding this.


#2

Please specify the affected domain name instead of “mydomain.com”.


#3

https://acme-v01.api.letsencrypt.org/acme/authz/ZswgM58kVA7mVUQy00XjvxIcmDRk-9QYRsgF4tujKyU


#4

The DNS is invalid for your domain name;

books.onetouchlogisticsltd.com 

Please check for yourself at somewhere like;

http://dnsviz.net/d/books.onetouchlogisticsltd.com/dnssec/

#5

@serverco
We couldn’t find any issue from our DNS, as “dig books.onetouchlogisticsltd.com” works fine.

There is only a warning for swapped glue records address for two different Name Servers of onetouchlogisticsltd.com

com to onetouchlogisticsltd.com: The glue address(es) for ns1.agilecomskenya.com (217.174.149.5) differed from its authoritative address(es) (217.174.149.4).
com to onetouchlogisticsltd.com: The glue address(es) for ns2.agilecomskenya.com (217.174.149.4) differed from its authoritative address(es) (217.174.149.5).

The new Authorization URI from LE for the domain books.onetouchlogisticsltd.com is,
https://acme-v01.api.letsencrypt.org/acme/authz/c6i28mD1h2WRa2Ob_HdrZkXDrVDCdU5sKlTg-25K47s

http://books.onetouchlogisticsltd.com/.well-known/acme-challenge/VvVq6YwGSuC5y3pYTSvYn1IvaF7VocY2b39uWlYwRJE
gives the file content properly.
So there is no issue with DNS resolution for books.onetouchlogisticsltd.com
Why this validation from LE is failing with error: DNS problem: query timed out looking up A for our domain


#6

It may be working locally for you, have you got a local DNS you are using ?

If I check with any of google, opendns, Level3, Norton, comodo … I’m failing to get an IP

user@serverco:~$ dig books.onetouchlogisticsltd.com @8.8.8.8

; <<>> DiG 9.10.5-P2-RedHat-9.10.5-2.P2.fc25 <<>> books.onetouchlogisticsltd.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14974
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;books.onetouchlogisticsltd.com.	IN	A

;; Query time: 99 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Dec 29 12:51:03 GMT 2017
;; MSG SIZE  rcvd: 59

#7

@serverco
I have checked the domain resolution through public DNS also,

dig books.onetouchlogisticsltd.com @8.8.8.8
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> books.onetouchlogisticsltd.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6699
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;books.onetouchlogisticsltd.com. IN A

;; ANSWER SECTION:
books.onetouchlogisticsltd.com. 14399 IN CNAME books.cs.zohohost.com.
books.cs.zohohost.com. 299 IN A 8.39.54.79

;; Query time: 525 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Dec 29 18:30:18 IST 2017
;; MSG SIZE rcvd: 107

Also kindly check the same done through Google DNS: https://dns.google.com/query?name=books.onetouchlogisticsltd.com&type=A&dnssec=false


#8

It all comes down to a level of trust and accuracy.

Let’s Encrypt is issuing a certificate for your domain name, based on domain name validation, so it needs to be certain that the domain name is correct, and you can prove ownership by providing tokens at the correct location.

A simple “dig” is possibly fine for your browser - the DNS may have been spoofed somewhere, but you are less concerned about it ( in terms of a simple dig).

There are errors on your DNS. I have checked from multiple locations, and most will not verify with certainty the IP address of your server. This is a fairly clear indication that there is an issue.

Also, if you check on places like http://dnscheck.pingdom.com/?domain=books.onetouchlogisticsltd.com then it says “Not enough nameserver information was found to test the zone books.onetouchlogisticsltd.com, but an IP address lookup succeeded in spite of that.” i.e. it can get an IP, but it’s not 100% certain of it.

Looking at whois - your authoritative nameservers should be ns1.agilecomskenya.com and ns2.agilecomskenya.com yet, for me, neither of these servers is responding authoritatively for your domain.

dig books.onetouchlogisticsltd.com @ns1.agilecomskenya.com

; <<>> DiG 9.10.5-P2-RedHat-9.10.5-2.P2.fc25 <<>> books.onetouchlogisticsltd.com @ns1.agilecomskenya.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23954
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;books.onetouchlogisticsltd.com.	IN	A

;; Query time: 99 msec
;; SERVER: 217.174.149.5#53(217.174.149.5)
;; WHEN: Fri Dec 29 13:40:35 GMT 2017
;; MSG SIZE  rcvd: 59

user@serverco:~$ dig books.onetouchlogisticsltd.com @ns2.agilecomskenya.com

; <<>> DiG 9.10.5-P2-RedHat-9.10.5-2.P2.fc25 <<>> books.onetouchlogisticsltd.com @ns2.agilecomskenya.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23097
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;books.onetouchlogisticsltd.com.	IN	A

;; Query time: 99 msec
;; SERVER: 217.174.149.4#53(217.174.149.4)
;; WHEN: Fri Dec 29 13:41:41 GMT 2017
;; MSG SIZE  rcvd: 59

Since there is a lack of certainty, Lets Encrypt can not validate and issue a certificate.

If you correct all the issues with your DNS, then it should work.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.