Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: www.yardsale.com
I ran this command:
php acmephp.phar run configYSonly.yml
It produced this output:
In AcmeClient.php line 200:
Challenge failed (response: {“type”:“http-01”,“status”:“invalid”,“error”:{"
type":“urn:ietf:params:acme:error:connection”,“detail”:“dns :: DNS problem:
query timed out looking up A for www.yardsale.com”,“status”:400},“url”:“ht
tps://acme-v02.api.letsencrypt.org/acme/challenge/NATMQlcVINM2st4EgU_8
8L-L7uYxNZxe-tVTad-JZr0/18529021217”,“token”:“zdjnbEoJzzkIQEDF6c5fwTuGiG6I
DNVjYa_cPI_UkE0”}).
My web server is (include version):
Worldgroup 6.0
The operating system my web server runs on is (include version):
windows 2008
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Acme PHP - Let’s Encrypt client 1.1.1
It used to work 3 months ago. When I run it, I see it attempting to access my web server via the log
I think probably this is probably due to misconfigured glue records for the domain of your nameservers (worldgroupware.com).
$ dig +noall +additional @i.gtld-servers.net worldgroupware.com
dns.worldgroupware.com. 172800 IN A 71.246.247.62
dns2.worldgroupware.com. 172800 IN A 50.76.18.33
But 50.76.18.33 is wrong. It doesn’t even run an authoritative nameserver.
The real record should be:
dns2.worldgroupware.com. 2804 IN A 71.246.247.34
This usually isn’t a fatal error, but I have a feeling that in this case, Let’s Encrypt’s resolver has some kind of intolerance against it (even though I can’t reproduce it by running Unbound myself). So it tries using that glue record and for some reason ends up in a timeout.
yeah I saw that 50…33 addr. I’m not sure where it was coming from. What is this dig command? I imagine it’s a unix thing. Is there a windows equivalent?
What I wonder is why it worked 3 months ago, nothings really change in my config. thanks for taking the time to answer this!
well that was it. There is a cool site called http://dnsviz.net and it also confirmed these glue record issues. I’m running my own DNS using SimpleDNS+ and it all seemed good there. So I went to my domain register and under the worldgroupware domain there was this “child name servers” stuff. and that’s where I saw it had a wrong (old) IP address. Once I fixed this all was well in my world.