DNS problem: query timed out looking up A for www.yardsale.com

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.yardsale.com
I ran this command:
php acmephp.phar run configYSonly.yml
It produced this output:
In AcmeClient.php line 200:

Challenge failed (response: {“type”:“http-01”,“status”:“invalid”,“error”:{"
type":“urn:ietf:params:acme:error:connection”,“detail”:“dns :: DNS problem:
query timed out looking up A for www.yardsale.com”,“status”:400},“url”:“ht
tps://acme-v02.api.letsencrypt.org/acme/challenge/NATMQlcVINM2st4EgU_8
8L-L7uYxNZxe-tVTad-JZr0/18529021217”,“token”:“zdjnbEoJzzkIQEDF6c5fwTuGiG6I
DNVjYa_cPI_UkE0”}).
My web server is (include version):
Worldgroup 6.0
The operating system my web server runs on is (include version):
windows 2008
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Acme PHP - Let’s Encrypt client 1.1.1

It used to work 3 months ago. When I run it, I see it attempting to access my web server via the log

I think probably this is probably due to misconfigured glue records for the domain of your nameservers (worldgroupware.com).

$ dig +noall +additional @i.gtld-servers.net worldgroupware.com
dns.worldgroupware.com. 172800  IN      A       71.246.247.62
dns2.worldgroupware.com. 172800 IN      A       50.76.18.33

But 50.76.18.33 is wrong. It doesn’t even run an authoritative nameserver.

The real record should be:

dns2.worldgroupware.com. 2804   IN      A       71.246.247.34

This usually isn’t a fatal error, but I have a feeling that in this case, Let’s Encrypt’s resolver has some kind of intolerance against it (even though I can’t reproduce it by running Unbound myself). So it tries using that glue record and for some reason ends up in a timeout.

2 Likes

yeah I saw that 50…33 addr. I’m not sure where it was coming from. What is this dig command? I imagine it’s a unix thing. Is there a windows equivalent?
What I wonder is why it worked 3 months ago, nothings really change in my config. thanks for taking the time to answer this!

It’s set in the “nameserver registration” or “glue” or similar settings for worldgroupware.com at its domain registrar.

2 Likes

ah thanks! I think I found it!

well that was it. There is a cool site called http://dnsviz.net and it also confirmed these glue record issues. I’m running my own DNS using SimpleDNS+ and it all seemed good there. So I went to my domain register and under the worldgroupware domain there was this “child name servers” stuff. and that’s where I saw it had a wrong (old) IP address. Once I fixed this all was well in my world.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.