DNS problem: query timed out looking up A

Help
#1

Hi,

I'm facing this issue for 3 days now. I've over 300 accounts on my server never had an issue since 23th i'm having this issue no matter domain is.

Same thing occurs in another server of mine with same specs.

Can someone point me to the right direction.

My domain is: e-fotograf.com

I ran this command:

It produced this output:
Verify error:During secondary validation: DNS problem: query timed out looking up A for e-fotograf.com

My web server is (include version):
Apache/2.4.39

The operating system my web server runs on is (include version):
CentOS 7.9.2009

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
CWP

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like
#2

We can't really help you troubleshoot without the command you ran. Can you please give us the command you ran?

2 Likes
#3

Welcome to the Let's Encrypt Community, Bahadır :slightly_smiling_face:

You're seeing a secondary validation failure, which is almost always a sign of a firewall problem (either yours or regional). Occasionally, but rarely, this is a sign of DNS server issues.

1 Like
#4

@Litbelb i use CWP UI but since you asked and i forgot to add command i've tried command below and got the same error.

sh /root/.acme.sh/acme.sh --home /root/.acme.sh/cwp_certs --issue -d www.e-fotograf.com -d e-fotograf.com -w /usr/local/apache/autossl_tmp

@griffin thanks for welcome :slight_smile: I've disabled all firewalls in one server including ISP's firewall. Nothing changed. I believe thats a DNS server issue too but can't find a way to fix it or define the exact problem.

2 Likes
#5

Additional info;

I'm able to renew previously generated cert... If this is a DNS problem, i have to get same error for renewals too, right ?

1 Like
#6

Not necessarily.
Reissuing recently issued cert might bypass the need for rigorous DNS verification.

Is there one common DNS system used for all the problematic domains?

1 Like
#7

A post was split to a new topic: Query timed out looking up A

#8

I ve contacted ISP they have no idea either. As far as we know there are several ISPs from Turkey having same problem with different users. I am the only one having this problem with my ISP

Not sure but seems like this is not an issue caused by my DNS settings which never changed and was working couple days ago.

1 Like
#9

Well then you could wait for the problem to go away (much as it came - mysteriously).
OR
You could add some DNS servers far outside of your country/problem area.

There are plenty of global DNS service providers and some will even do it for free.
I can personally recommend:


OR
Host your own additional DNS server in any cloud type service (but outside the problem area).

2 Likes
#10

You had me at 1,000% uptime

3 Likes
#11

I was planing that but not sure if that will work since validation looks for A record and it will point same IP address. Is it a lookup problem or is something blocking validation requests.

1 Like
#12

I take no chances!
I use 11 name servers across the planet - my stuff never fails to resolve :wink:

1 Like
#13

This is the problem that will address:

1 Like
#14

There may be two problems; But we need to tackle them one at a time :slightly_smiling_face:

1 Like
#15

Not surprised. It worked. Here is what i've done.

  1. Created zone for domain in a different datacenter with same DNS settings
  2. Added A record points to my problematic server
  3. Changed nameserver's to other server
  4. Installed SSL on my server. Success.

After this i've changed NS records back to my server and able to work with domain also able to renew SSL through auto installer UI

So now the question is why Letsencrypt can perform a DNS lookup for A record on my server. I've checked most known web sited for my record all works fine except MXToolbox.

MXToolbox result are a bit confusing too, may throw an error "Not able to get a response from name servers within timeframe"

1 Like
"During secondary validation" error
#16

I think this has a lot to do with the locations of and systems in between the querying and queried systems.

1 Like
#17

Or an IPS / fail2ban type program running somewhere inline.

1 Like
#18

Potato - Potato

:upside_down_face:

2 Likes
#19

Funny how the mind sees things
I read that clearly as
po-tay-toe - po-tah-toe

1 Like
#20

Finally.

After bunch of tests I made sure that the problem is not on my settings. Make ISP to check blockings again. They've changed some rules which i'm not sure what they have done but everything works fine now.

Thanks for everyone took time to reply and help me.

Regards.

3 Likes