DNS problem: query timed out looking up A for sc.hawqs.tamu.edu

Im lost i all of the dns checkers come back clean. Letsdebug: Let's Debug (letsdebug.net) all green and i can figure out why it keeps telling me it cant look up the DNS.

Checking [IIS] sc_hawqs, (any host)
[VERB] Autofac: creating Order scope with parent PluginBackend
[VERB] Autofac: creating PluginBackend scope with parent order-main
[DBUG] Reading certificate cache
[DBUG] No cache files found for renewal
[VERB] Order Main should run (new/changed source)
[VERB] Obtain order details for Main
[DBUG] Refreshing cached order
[DBUG] Refreshing order...
[DBUG] [HTTP] Send POST to https://acme-v02.api.letsencrypt.org/acme/order/1856906407/291716632027
[VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL29yZGVyLzE4NTY5MDY0MDcvMjkxNzE2NjMyMDI3Iiwibm9uY2UiOiJNYThad1JOQUVqUk1NMDlNbUQ5dlN6RG1lVzBvZWc1TGRheHdtYTU4VFZPazhOcGwwaWsiLCJraWQiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzE4NTY5MDY0MDcifQ","payload":"","signature":"VwYbV1l_8O9oHYoaHpjOre43VCD9xLQ1PXhefT481N6mXaXNWQh4_4f7uIJaHuai5HqCQuCabE2rjKKZRWxeZw"}
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"status": "invalid",
"expires": "2024-08-05T21:44:08Z",
"identifiers": [
{
"type": "dns",
"value": "sc.hawqs.tamu.edu"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/383535315207"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1856906407/291716632027"
}
[WARN] Cached order has status invalid, discarding
[DBUG] Deleted C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Orders\080567223adb968ac3982a25008c71b199d912ba.order.json
[VERB] Creating order for identifiers: ["sc.hawqs.tamu.edu"] (notAfter: null, previous: [none])
[DBUG] [HTTP] Send POST to https://acme-v02.api.letsencrypt.org/acme/new-order
[VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsIm5vbmNlIjoiTWE4WndSTkExZFRlS2hoX2dtdmg4dzl0TEtwQWZqWi1hTzlGZjJSNnVJRW01WDI2dmQ4Iiwia2lkIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xODU2OTA2NDA3In0","payload":"eyJpZGVudGlmaWVycyI6W3sidHlwZSI6ImRucyIsInZhbHVlIjoic2MuaGF3cXMudGFtdS5lZHUifV19","signature":"E9b-IMMdPnWzUUYHguvOBjCkiB170jzES7yjajwxdjh3643Bd-CwvuyN1xrDmv3MJMwIclgxvawDY5hazleQLA"}
[VERB] [HTTP] Request completed with status Created
[VERB] [HTTP] Response content: {
"status": "pending",
"expires": "2024-08-05T21:44:49Z",
"identifiers": [
{
"type": "dns",
"value": "sc.hawqs.tamu.edu"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/383535504007"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1856906407/291716757117"
}
[VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/1856906407/291716757117 created
[DBUG] [HTTP] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz-v3/383535504007
[VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM4MzUzNTUwNDAwNyIsIm5vbmNlIjoiTWE4WndSTkFkVHFKQlVBXzNteGFuV0ZIU21OcG41NXFwalI5cDE4Zm1Ec2VCQzlUU2pzIiwia2lkIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xODU2OTA2NDA3In0","payload":"","signature":"Af5cajCeyjuZ2xRs5R3wA_Xv613U1S_aHgq_buWch7OMpIx5qaiNDGgQvSvYpG-7uSPxwSGlc04YAY4vr-pF0Q"}
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"identifier": {
"type": "dns",
"value": "sc.hawqs.tamu.edu"
},
"status": "pending",
"expires": "2024-08-05T21:44:49Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/383535504007/Zj3Y8g",
"status": "pending",
"token": "XTyfJUjVlUSkUbH8nXLwdLVgcpx-Yr8LkGOe-JQ2RbI"
},
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/383535504007/pDJe-Q",
"status": "pending",
"token": "XTyfJUjVlUSkUbH8nXLwdLVgcpx-Yr8LkGOe-JQ2RbI"
},
{
"type": "tls-alpn-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/383535504007/qTR0FQ",
"status": "pending",
"token": "XTyfJUjVlUSkUbH8nXLwdLVgcpx-Yr8LkGOe-JQ2RbI"
}
]
}
[VERB] Autofac: creating Target scope with parent PluginBackend
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] W3SVC detected and running
[VERB] No FTPSVC detected
[VERB] Autofac: creating PluginBackend scope with parent PluginBackend
[VERB] Handle authorization 1/1
[VERB] Autofac: creating PluginBackend scope with parent PluginBackend
[INFO] [sc.hawqs.tamu.edu] Authorizing...
[VERB] [sc.hawqs.tamu.edu] Initial authorization status: pending
[VERB] [sc.hawqs.tamu.edu] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [sc.hawqs.tamu.edu] Initial challenge status: pending
[INFO] [sc.hawqs.tamu.edu] Authorizing using http-01 validation (SelfHosting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [sc.hawqs.tamu.edu] Submitting challenge answer
[DBUG] [HTTP] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall-v3/383535504007/Zj3Y8g
[VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzM4MzUzNTUwNDAwNy9aajNZOGciLCJub25jZSI6Ik1hOFp3Uk5BczBucHEzMVNOVXA4QjcxMVM1bkVpdmVvUkNUb25WS1BCbWN5VXNzTnVVNCIsImtpZCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTg1NjkwNjQwNyJ9","payload":"e30","signature":"q5KkNGvsRAB_FAngXE6wDuQwOL0PnE4EHkp0kNbtYRM_SsYuYBdB2zQ_2XktBiVjJGuohE_Y_KSpsutZlEDCTw"}
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/383535504007/Zj3Y8g",
"status": "pending",
"token": "XTyfJUjVlUSkUbH8nXLwdLVgcpx-Yr8LkGOe-JQ2RbI"
}
[DBUG] Refreshing authorization (1/15)
[DBUG] [HTTP] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall-v3/383535504007/Zj3Y8g
[VERB] [HTTP] Request content: {"protected":"eyJhbGciOiJFUzI1NiIsInVybCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzM4MzUzNTUwNDAwNy9aajNZOGciLCJub25jZSI6Ik1hOFp3Uk5BVUV1RWtGTVJOSDVYNVFoa2xGX3RkMURrR0Y3djhoRVN3TlBOMGJCbExOayIsImtpZCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTg1NjkwNjQwNyJ9","payload":"","signature":"gAOvQKIQbQn_kRu3kt7voDKTnrc-PN9QUikP2MTpE__xqrIgdDhWoJ_AA560OgxopYdAU9HMbFZxYZx5dZykNg"}
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/383535504007/Zj3Y8g",
"status": "pending",
"token": "XTyfJUjVlUSkUbH8nXLwdLVgcpx-Yr8LkGOe-JQ2RbI"

My domain is:sc.hawqs.tamu.edu and tx.select.tamu.edu

My web server is (include version): IIS

The operating system my web server runs on is (include version):

:

I can login to a root shell on my machine yes

The version of my client is win-acme

1 Like

Welcome @Pants_of_Flames

Your DNS tree is too complicated to fully understand given my modest DNS skills. But, I would start by focusing on the two warnings at dnsviz about the auth server name mismatch and the incorrect glue records (pic below).

I consistently reproduce your timeout using https://unboundtest.com. This queries DNS similar to how Let's Encrypt does it (by looking directly at the auth server tree).

See DNSviz
https://dnsviz.net/d/sc.hawqs.tamu.edu/dnssec/

I'd start by correcting these

4 Likes

The timeout I'm seeing at Unboundtest is coming from 192.195.87.5, the erroneous glue as seen in the DNSViz warning Mike already showed above.

If I do a dig @192.195.87.5 sc.hawqs.tamu.edu this indeed times out. The authorative IP address 66.64.83.4 does work though.

I'm not sure why Unboundtest seems to always time out on this IP address (maybe it checks all authorative DNS servers?)

Fix the errors above indeed (mainly the incorrect glue record) and I think it'll work.

2 Likes

Thank your your help. its very strange I have 4 different websites on this server and 2 i was able to get letsencrypt to work on.
Working:
tx.hawqs.tamu.edu
ok.hawqs.tamu.edu

Not working
sc.hawqs.tamu.edu
tx.select.tamu.edu

very minor differences between the non working and working. I have been comparing them to see if i have a smoking gun i can find.

1 Like

One difference i did find is the sc.hawqs is getting this statement in the unbouned logs in a different location (lower into the process).

Jul 30 16:32:58 unbound[1765:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply
Jul 30 16:32:58 unbound[1765:0] info: iterator operate: query sc.hawqs.tamu.edu. A IN
Jul 30 16:32:58 unbound[1765:0] debug: process_response: new external response event
->Jul 30 16:32:58 unbound[1765:0] info: Capsforid: timeouts, starting fallback
Jul 30 16:32:58 unbound[1765:0] debug: iter_handle processing q with state QUERY TARGETS STATE
Jul 30 16:32:58 unbound[1765:0] info: processQueryTargets: sc.hawqs.tamu.edu. A IN
Jul 30 16:32:58 unbound[1765:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 7

I found this artice talking about it but im to green to understand the fix.

Capsforid timeout leads to "equal-replies-requirement", which is a really bad idea · Issue #213 · NLnetLabs/unbound · GitHub

How about just fixing the incorrect glue to start with?

2 Likes

I bet as the community leader you find a lot of members not heading the advice they are given. Fear not! I am having someone look at these glue issues.

Unfortunately, in this case not a 1-man IT house. I am attempting to find things that I possibly can make changes too. Cant just stop working on just because i have someone else is working on it. Maybe I'll find something that will work while my glue is being fixed?

Thanks a bunch!

1 Like

With DNS it's often simply "getting lucky" if one of the four servers is malfunctioning.. Although the nameservers are getting requests more than once, so it's not as simple as 75 vs 25 %.

2 Likes

Gotcha. it's just super odd that 2 of the 4 websites worked just fine. My brain is just wanting the simple answer i guess :slight_smile:.

Thanks for your help.

1 Like

As Osiris noted, it is a matter of percentages.

You may luckily get a cert once with some faulty name servers but it won't happen reliably. The tx subdomain you say is working failed with a timeout the first time I tried unboundtest.com
https://unboundtest.com/m/A/tx.hawqs.tamu.edu/CKGOVKQU

4 Likes

OK, resolution time MikeMcQ you were correct it was my Glue records. Turns out that 1 week ago NS3 moved physical locations changing its ip address. Stale records were apparently causing my issues. A total bad ass that I work with was able to make changes to the registers name server and now lookups work.

MikeMcQ & Osiris,
I wanted to thank you for help on my DNS issue. A Huge shout-out to you both I would have been so lost in this whole ordeal. If anyone asks, Mike was right the whole time.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.