DNS problem: query timed out looking up A for xx.com


#1
Failed authorization procedure. api.xxx.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up A for api.xxx.com

Yesterday I had successfully enabled two domains in the server,but today I am not able to acquire the rest domains ssl certs .

Any help is appreciate.Thanks!


#2

Does connecting time out? Does it have IPv6? A firewall? Does it block foreign IP addresses?

[Edit: On second thought, my questions were wrongheaded, but we still need more information]


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#3

I had this problem. In my case the server was not able to connect due to a NAT error.
I had to reconfigure NAT to forward port 443 to my server. The external DNS was pointing to the wrong IP.(it somehow changed).
So, be sure your server is reachable by the letsencrypt server at port 443.


#4

Thanks for contributing @dasmoscas! I think the original poster probably has a different problem, because it is described as a “DNS problem,” which means Let’s Encrypt couldn’t even find the API address to connect to, let alone be blocked by a firewall on port 443.

@Huang, please post the real domain name so we can help you more. You can also try investigating potential problems with your DNS using http://dnsviz.net/, https://dnssec-debugger.verisignlabs.com/, and/or https://unboundtest.com/.


#5

(Just mentioning @_Huang rather than the nonexistent forum account @Huang.)


#6

Thanks everybody.@jsha @schoen

I try to wait for the other day using certbot to acquire a ssl cert,but with no luck ,the same DNS error as the original post.

As I post before there is some other domains which successfully get a ssl cert useing certbot.So there should no problem with my server.

This link contains DNS analysis

https://pastebin.ubuntu.com/p/GjkRqH6jdk/


#7

您好,

您用的yydns无法处理解析记录(工作不正确),导致le无法解析你的ip地址

建议您联系dns提供商(疑似百度)或更换dns提供商

谢谢您

Hi,

The DNS system you use can’t handle the querys correctly, hense Letsencrypt can’t resolve your IP (from nameserver)

I suggest you contact your DNS provider (Baidu ) or change name server.

Thank you


#8

Indeed when we change our DNS provider,Certbot with success.Thanks for all your warm heart.

PS: Can you please tell me how did you debug this DNS problem?Even though I noticed the red sign warning there,but I was not so sure to make this conclusion.


#9

The only thing I was doing is nslookup (from my command line to 8.8.8.8 as well as your authoritive DNS server), also from mxtoolbox.com and whatsmydns.net

Which all tests somehow present me error messages (even direct query to your auth DNS server)

That’s when I know there’s a problem.

Thank you


#10

Thanks ,But when i use dig it returned the correct ip info.I am not familiar with dig.:joy:


#11

Sometimes it gave the correct IP info,

However, it seems that most queries outside Asia return no response (or timeout)

A tool you can try:
whatsmydns.net

Thank you


#12

Thanks for your patient.Good night. :grin:


#13

The Let’s Encrypt resolvers use random capitalization to make DNS queries less predictable. The domain’s nameservers don’t support it.

The resolver can handle it, but it took so long trying again and making sure, the other software gave up and reported a timeout.

The https://unboundtest.com/ link posted earlier demonstrates it:

https://unboundtest.com/m/CAA/api.380111555.com/BQGBGPCY

Note all of the “info: Capsforid: reply is equal. go to next fallback” messages, and that the timestamps show it took 27 seconds.

The nameservers have other configuration issues, but that’s probably why it failed.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.