DNS problem: query timed out looking up A for

My domain is:
www.astrea.com.au
I ran this command:
SSL renew via EasyEngine (ee site ssl www.astrea.com.au)
It produced this output:
DNS problem: query timed out looking up A for www.astrea.com.au
My web server is (include version):
NGINX
The operating system my web server runs on is (include version):
Ubuntu 18.04.3

My hosting provider, if applicable, is:
Digital Ocean
I can login to a root shell on my machine (yes or no, or I don't know):
Yes

LetsDebug showing no issues.
Unboundtest showing it resolves the A record correctly.
https://unboundtest.com/m/A/www.astrea.com.au/W3YTFB5H

1 Like

Welcome!
Please show:
ee site list

ee site list
+-------------------+---------+
| site | status |
+-------------------+---------+
| www.astrea.com.au | enabled |
+-------------------+---------+

Thanks good.
Please show the output of (from that system):
nslookup www.astrea.com.au

nslookup www.astrea.com.au
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: www.astrea.com.au
Address: 127.0.0.1

How many times did you try?

I think it may have just been an intermittent issue. From what I can tell, Let's Encrypt can resolve it just fine right now.

I have tried again just now, same error

This may be a problem - we'll come back to that.

Please show the output of:
ee site info www.astrea.com.au

1 Like

That's quite strange.

5/5 attempts of my own, Let's Encrypt was able to resolve it: https://acme-v02.api.letsencrypt.org/acme/authz-v3/7515688788

How many subdomains do you have on your certificate? I wonder if it's some kind of rate limiting from Crazy Domains.

1 Like

ee site info www.astrea.com.au
+--------------------+-----------------------------------------+
| Site | https://www.astrea.com.au |
+--------------------+-----------------------------------------+
| Site Root | /opt/easyengine/sites/www.astrea.com.au |
+--------------------+-----------------------------------------+
| Site Title | Astrea |
+--------------------+-----------------------------------------+
| WordPress Username | |
+--------------------+-----------------------------------------+
| WordPress Password | |
+--------------------+-----------------------------------------+
| DB Host | global-db |
+--------------------+-----------------------------------------+
| DB Name | |
+--------------------+-----------------------------------------+
| DB User | |
+--------------------+-----------------------------------------+
| DB Password | |
+--------------------+-----------------------------------------+
| E-Mail | team@webspace.net.au |
+--------------------+-----------------------------------------+
| SSL | Enabled |
+--------------------+-----------------------------------------+
| SSL Wildcard | No |
+--------------------+-----------------------------------------+
| Cache | Enabled |
+--------------------+-----------------------------------------+

1 Like

There's just the one subdomain. Certificate is registered to www.astrea.com.au

1 Like

That all seems fine.
I can only think that it is trying to validate the domain before attempting to get the cert and that is now failing...

Try it again with --debug:
ee site ssl www.astrea.com.au --debug

Maybe we can get a better clue at the problem from the added error output.

1 Like

root@astrea:/opt/easyengine/logs# ee site ssl www.astrea.com.au --debug
Debug: ----------------------- (0.043s)
Debug: COMMAND: cd /opt/easyengine/services && docker ps -q --no-trunc | grep $(docker-compose ps -q global-nginx-proxy) (0.044s)
Debug: STDOUT: 3c00c75627518b274cfdfb6e52e4a507493a25c99a57f0b7e8cef32d6d2bd45c
(0.929s)
Debug: RETURN CODE: 0 (0.929s)
Debug: ----------------------- (0.93s)
Debug: ----------------------- (0.93s)
Debug: COMMAND: docker ps > /dev/null (0.93s)
Debug: RETURN CODE: 0 (1.046s)
Debug: ----------------------- (1.046s)
Debug: ----------------------- (1.046s)
Debug: COMMAND: command -v docker-compose > /dev/null (1.047s)
Debug: RETURN CODE: 0 (1.049s)
Debug: ----------------------- (1.049s)
Debug (bootstrap): Using default global config: /opt/easyengine/config/config.yml (1.059s)
Debug (bootstrap): No project config found (1.059s)
Debug (bootstrap): argv: /usr/local/bin/ee site ssl www.astrea.com.au --debug (1.06s)
Debug (bootstrap): Running command: site (1.06s)
Debug (bootstrap): Running command: site ssl (1.068s)
Starting SSL verification.
Debug: Loading account keypair (1.094s)
Debug: Starting check with solver http (1.106s)
Debug: Challenge loaded. (1.11s)
Debug: Testing the challenge for domain www.astrea.com.au (2.231s)
Debug: Requesting authorization check for domain www.astrea.com.au (2.261s)
Debug: Challenge failed (response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: DNS problem: query timed out looking up A for www.astrea.com.au","status":400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/7514373578/VhpGbw","token":"98lc0_lGBJc1ypvqctuiJxAkkGcJ4QpH1unZlD7 OWiI","validationRecord":[{"url":"http://www.astrea.com.au/.well-known/acme-challenge/98lc0_lGBJc1ypvqctuiJxAkkGcJ4QpH1unZlD7OWiI","hostname":"www.astrea.com.au","port":"80","addre ssesResolved":["128.199.83.32"],"addressUsed":"128.199.83.32"},{"url":"https://www.astrea.com.au/.well-known/acme-challenge/98lc0_lGBJc1ypvqctuiJxAkkGcJ4QpH1unZlD7OWiI","hostname": "www.astrea.com.au","port":"443","addressesResolved":["128.199.83.32"],"addressUsed":"128.199.83.32"}]}). (2.496s)
Warning: Challenge Authorization failed. Check logs and check if your domain is pointed correctly to this server.
Re-run ee site ssl www.astrea.com.au after fixing the issue.
Warning: Failed to verify SSL: Challenge failed (response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: D NS problem: query timed out looking up A for www.astrea.com.au","status":400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/7514373578/VhpGbw","token":"98lc0_lGBJc1ypv qctuiJxAkkGcJ4QpH1unZlD7OWiI","validationRecord":[{"url":"http://www.astrea.com.au/.well-known/acme-challenge/98lc0_lGBJc1ypvqctuiJxAkkGcJ4QpH1unZlD7OWiI","hostname":"www.astrea.co m.au","port":"80","addressesResolved":["128.199.83.32"],"addressUsed":"128.199.83.32"},{"url":"https://www.astrea.com.au/.well-known/acme-challenge/98lc0_lGBJc1ypvqctuiJxAkkGcJ4QpH 1unZlD7OWiI","hostname":"www.astrea.com.au","port":"443","addressesResolved":["128.199.83.32"],"addressUsed":"128.199.83.32"}]}).

1 Like

The DNS message seems erroneous.
The problem is in the HTTP validation.
HTTP get redirected to HTTPS and then fails (for LE).
My requests get through.
So, you can either allow all IPs access to your HTTPS site (not needed).
Or, don't forward the challenge requests from HTTP to HTTPS and handle them there (in HTTP).

1 Like

This may not be a built-in checkbox setting for EE.
So, it is more like a hack/workaround than an official solution.
First check their docs for anything related to excluding /.well-known/acme-challenge/ requests.
If nothing found and you are wanting to try the hack/workaround.
Show the output of:
sudo ps -ef | grep -Ei 'nginx|apache'
[not 100% ee sits atop Apache]

1 Like

sudo ps -ef | grep -Ei 'nginx|apache'
root 1583 1470 0 Jul09 ? 00:00:00 nginx: master process /usr/bin/openresty -g daemon off;
root 2098 1555 0 Jul09 ? 00:00:00 /bin/bash -c source ".profile" 2>/dev/null; docker-gen -watch -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf
root 2099 1555 0 Jul09 ? 00:00:00 /bin/bash -c source ".profile" 2>/dev/null; nginx
root 2100 2098 0 Jul09 ? 02:08:46 docker-gen -watch -notify nginx -s reload /app/nginx.tmpl /etc/nginx/conf.d/default.conf
root 2101 2099 0 Jul09 ? 00:00:00 nginx: master process nginx
www-data 2160 1583 0 Jul09 ? 00:01:45 nginx: worker process
systemd+ 10819 2101 0 01:01 ? 00:00:02 nginx: worker process
root 14134 10260 0 03:06 pts/0 00:00:00 grep --color=auto -Ei nginx|apache

OK so it is using nginx.
let's have a look at:
ls -l /etc/nginx/sites-enabled/
ls -l /etc/nginx/conf.d/
and
cat /etc/nginx/conf.d/default.conf

1 Like

In case we don't get to talk tomorrow...
[I have and early date with a boat, a rod, and hopefully some fish :)]

Here is a sample code that would need to be inserted into nginx (in the appropriate place):

  #skip challenge requests and
  location ^/(?!\.well-known) {
    #send all other requests to HTTPS
    return 301 https://$host$request_uri;
  }#location

But you already have some redirection code, so this would have to overwrite or be merged in with your current code.
That waits to be seen.

I leave you in the very good hands of a very capable community.
Cheers from Miami :beers:

2 Likes

I'm gonna take a look now. :slightly_smiling_face:

Enjoy the drin... fishin' Rudy! :dolphin: :fish: :tropical_fish: :blowfish:

Thanks for all your help!!

I have resolved this now, after checking the conf.d default file I discovered that EasyEngine auto creates the rules for the config to allow it to see the existing certificate well-known.

Running "ee site ssl" is attempting to add SSL to a site that does not have SSL, but as this site already had SSL it was not updating the nginx config to add the rule for a new cert. Instead all I needed to do was "ee site ssl-renew", which uses the path/token of the existing cert and was able to get through nginx.

I should have been more clear that I was looking to renew, not add!

1 Like