DNS problem: query timed out looking up A for www.itanhaem.sp.gov.br

It appears that the letsencrypt servers did not resolve my domain.
All other subdomains produce the same error.
I use Cloudflare as DNS servers.

My domain is:
itanhaem.sp.gov.br

I ran this command:
certbot certonly --standalone -d www.itanhaem.sp.gov.br

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.itanhaem.sp.gov.br
Waiting for verification...
Challenge failed for domain www.itanhaem.sp.gov.br
http-01 challenge for www.itanhaem.sp.gov.br
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.itanhaem.sp.gov.br
    Type: dns
    Detail: DNS problem: query timed out looking up A for
    www.itanhaem.sp.gov.br; DNS problem: SERVFAIL looking up AAAA for
    www.itanhaem.sp.gov.br - the domain's nameservers may be
    malfunctioning

Other tests done:

Hi @phsm, and welcome to the LE community forum :slight_smile:

The problem seems to be within CloudFlare.
But only when being queried from certain IP networks.
A bit unusual for CloudFlare; But, no less, a show stopper for you.
Let's wait for some LE folks to get in and review this problem - @lestaff

4 Likes

For further reference: DNSViz and UnboundTest also don't see anything wrong with the DNS:

https://dnsviz.net/d/www.itanhaem.sp.gov.br/Y9qy6A/dnssec/

https://unboundtest.com/m/A/www.itanhaem.sp.gov.br/LZ56XTTP

https://unboundtest.com/m/AAAA/www.itanhaem.sp.gov.br/PPHLIPU5

4 Likes

shows:

So the Authoritative Nameservers are:
dns1e.sp.gov.br: 200.144.6.154
dns3e.sp.gov.br: 200.144.6.92
dns4e.sp.gov.br: 201.55.47.94
dns2e.sp.gov.br: 201.55.16.39

Domain Information

Name: sp.gov.br
Registry Domain ID: sp.gov.br
Domain Status:
active

Nameservers:
dns1e.sp.gov.br: 200.144.6.154
dns3e.sp.gov.br: 200.144.6.92
dns4e.sp.gov.br: 201.55.47.94
dns2e.sp.gov.br: 201.55.16.39

Dates
Updated: 2020-11-06 03:20:15 UTC
Created: 1995-07-06 12:00:00 UTC

2 Likes

And I I get No answer from each of them.

$ nslookup -q=a www.itanhaem.sp.gov.br dns1e.sp.gov.br.
Server:         dns1e.sp.gov.br.
Address:        200.144.6.154#53

Non-authoritative answer:
*** Can't find www.itanhaem.sp.gov.br: No answer
$ nslookup -q=a www.itanhaem.sp.gov.br dns2e.sp.gov.br.
Server:         dns2e.sp.gov.br.
Address:        201.55.16.39#53

Non-authoritative answer:
*** Can't find www.itanhaem.sp.gov.br: No answer
$ nslookup -q=a www.itanhaem.sp.gov.br dns3e.sp.gov.br.
Server:         dns3e.sp.gov.br.
Address:        200.144.6.92#53

Non-authoritative answer:
*** Can't find www.itanhaem.sp.gov.br: No answer
$ nslookup -q=a www.itanhaem.sp.gov.br dns4e.sp.gov.br.
Server:         dns4e.sp.gov.br.
Address:        201.55.47.94#53

Non-authoritative answer:
*** Can't find www.itanhaem.sp.gov.br: No answer
2 Likes

hmm...

I'm not sure the request would be made to those servers for the "www", but it is an interesting reply none-the-less.
Those servers should have returned the list of authoritative nameservers instead.
Like with [without "www"]:
nslookup -q=a itanhaem.sp.gov.br dns4e.sp.gov.br.

3 Likes

And nslookup for just the domain name itanhaem.sp.gov.br

$ nslookup -q=a itanhaem.sp.gov.br dns1e.sp.gov.br.
Server:         dns1e.sp.gov.br.
Address:        200.144.6.154#53

Non-authoritative answer:
*** Can't find itanhaem.sp.gov.br: No answer
$ nslookup -q=a itanhaem.sp.gov.br dns2e.sp.gov.br.
Server:         dns2e.sp.gov.br.
Address:        201.55.16.39#53

Non-authoritative answer:
*** Can't find itanhaem.sp.gov.br: No answer
$ nslookup -q=a itanhaem.sp.gov.br dns3e.sp.gov.br.
Server:         dns3e.sp.gov.br.
Address:        200.144.6.92#53

Non-authoritative answer:
*** Can't find itanhaem.sp.gov.br: No answer
$ nslookup -q=a itanhaem.sp.gov.br dns4e.sp.gov.br.
Server:         dns4e.sp.gov.br.
Address:        201.55.47.94#53

Non-authoritative answer:
*** Can't find itanhaem.sp.gov.br: No answer
2 Likes

That's NOT right.
I get:

nslookup -q=a itanhaem.sp.gov.br dns4e.sp.gov.br.
Server:  UnKnown
Address:  201.55.47.94

Name:    itanhaem.sp.gov.br
Served by:
- charles.ns.cloudflare.com

          itanhaem.sp.gov.br
- ryleigh.ns.cloudflare.com

          itanhaem.sp.gov.br
2 Likes

This is interesting:

$ nslookup -q=any itanhaem.sp.gov.br dns1e.sp.gov.br.
Server:         dns1e.sp.gov.br.
Address:        200.144.6.154#53

Non-authoritative answer:
*** Can't find itanhaem.sp.gov.br: No answer

Authoritative answers can be found from:
itanhaem.sp.gov.br      nameserver = ryleigh.ns.cloudflare.com.
itanhaem.sp.gov.br      nameserver = charles.ns.cloudflare.com.

2 Likes

Different answers to different networks?
Different answers to different versions of nslookup?
Different answers to different _____?

3 Likes

You said it! Well put @rg305 :slight_smile: :beers:

2 Likes

Thank you so much for your help, but I still have a problem.
Shortly after opening the topic I was able to renew some certificates.

https://letsdebug.net/www.itanhaem.sp.gov.br

Some information about me and the domain :smile:. I manage the website of Itanhaém City Hall (a small town in Brazil on the Atlantic coast Itanhaém - Wikipedia).
In Brazil, government domains follow a pattern. Like www.city.state.gov.br.
Prodesp(https://www.dominio.sp.gov.br) is the dns registrar responsible for the .sp.gov.br domains. Does not support dnssec.

Another topics with the same problem:

1 Like

Not supporting DNSSEC isn't a problem. Having a FAULTY DNSSEC however, is. As in: nothing is better than a failing something.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.