DNS problem: query timed out looking up A

letsuser · June 26, 2023, 8:52am

Hi,

My domain is:
files .abisoft .spb .ru
filesb .abisoft .spb .ru

I ran this command:
certbot renew --max-log-backups 30
certbot renew -vv --dry-run

It produced this output:

...
Challenge failed for domain files .abisoft .spb .ru
Challenge failed for domain filesb.abisoft.spb.ru
http-01 challenge for files .abisoft .spb .ru
http-01 challenge for filesb.abisoft.spb.ru
Reporting to user: The following errors were reported by the server:

Domain: files .abisoft .spb .ru
Type:   dns
Detail: DNS problem: query timed out looking up A for files .abisoft .spb .ru; DNS problem: query timed out looking up AAAA for files .abisoft .spb .ru

Domain: filesb .abisoft .spb .ru
Type:   dns
Detail: DNS problem: query timed out looking up A for filesb .abisoft .spb .ru; DNS problem: query timed out looking up AAAA for filesb .abisoft .spb .ru

My web server is (include version):
Apache 2.4.6

The operating system my web server runs on is (include version):
OEL 7

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.11.0

I checked DNS A record with multiple DNS testing services - they're all able to pull the record, for example:

$ dig +short files .abisoft .spb .ru @8.8.8.8
84 .52 .87 .17

Any help is kindly appriciated!

Nekit · June 26, 2023, 9:54am

At least two of your authoritative nameservers are currently misbehaving (at least from my vantage point)

$ dig +short ns abisoft.spb.ru
ns3.he.net.
ns1.he.net.
ns2.he.net.
ns4.he.net.
ns5.he.net.

$ dig +short files.abisoft.spb.ru @ns2.he.net
;; communications error to 216.218.131.2#53: timed out

$ dig +short files.abisoft.spb.ru @ns3.he.net
;; communications error to 216.218.132.2#53: timed out

I'd suggest temporarily removing misbehaving ns records and possibly contact he's support with this issue.

letsuser · June 26, 2023, 10:09am

Thanks for your quick reply!

That's really weird - I don't see any issues:

84.52.87.17
[root@monitor-1 conf]# dig +short files.abisoft.spb.ru @ns3.he.net
84.52.87.17
[root@monitor-1 conf]# dig +short files.abisoft.spb.ru @ns2.he.net
84.52.87.17
[root@monitor-1 conf]# dig +short files.abisoft.spb.ru @ns3.he.net
84.52.87.17
[root@monitor-1 conf]# dig +short files.abisoft.spb.ru @ns2.he.net
84.52.87.17
[root@monitor-1 conf]# dig +short files.abisoft.spb.ru @ns3.he.net
84.52.87.17

Nekit · June 26, 2023, 10:22am

Hmm, considering that there's no reply after a first hop in my case — my isp's network may have issues and it may be just a coincidence.

Still, try removing those two and run the certbot command again.

letsuser · June 26, 2023, 10:34am

Yeah, I've just discovered the same thru all of my ISPs in Russia (no issues from the US servers). Sent them the complain. Wondering why LE was affected by that..

Thanks for your help! I'll update here as soon as I get replies from my ISPs

letsuser · June 26, 2023, 12:10pm

@Nekit JFYI: one of the ISPs has reported they found a block from RKN and they made a support request to them. Interesting, that the official RKN check page (https://blocklist.rkn.gov.ru) does not show any issues with that IP

Nekit · June 26, 2023, 12:13pm

I figured this might be the case. They are known for blocking things seemingly arbitrarily…

kaponir · June 26, 2023, 1:14pm

Hello! We have the same problem. On the example of the ryzhkov. spb. ru domain:
2023/06/26 14:12:34 Domain verification results for 'ryzhkov. spb. ru': error. During secondary validation: DNS problem: query timed out looking up TXT for _acme-challenge.ryzhkov. spb. ru

Is it possible to get a list of IP addresses to check if they are blocked on the DNS side? There is a version that the problem concerns geo-domains (such as .spb.ru).

petercooperjr · June 26, 2023, 3:35pm

No; Let's Encrypt checks from multiple vantage points, potentially from around the world, and specifically doesn't publish them since they change regularly and because they need to ensure that clients actually own the name they're claiming to own as seen from everywhere on the Internet.

letsuser · June 26, 2023, 3:57pm

@petercooperjr can you check why ns2.he.net and ns3.he.net are not reachable from the LE infrastructure?

rg305 · June 26, 2023, 4:00pm

Only someone that works for LE could do that.

The closest thing to that is using:
https://unboundtest.com/

letsuser · June 26, 2023, 4:13pm

I decided @petercooperjr is one of such persons

unboundtest resolves my domains w/o issues

Osiris · June 26, 2023, 4:18pm

Most users here are just volunteers, not employees of Let's Encrypt. LE employees will have "Let's Encrypt Staff" as their title next to their username.

rg305 · June 26, 2023, 4:32pm

And I decide each week to win the lottery ...
But my decision matters not; Week after week I don't win it.

Nekit · June 26, 2023, 5:39pm

(probably language barrier, they possibly meant “thought”)

petercooperjr · June 26, 2023, 7:41pm

I mean, I've considered applying to work there, but I'm pretty happy in my current job. I appreciate the vote of confidence that I could do so if I wanted to, though.

Another tool, which I haven't seen mentioned in this thread yet, is DNSViz. In the "advanced options" for analyzing a site, you can pick a couple different "perspectives", to try getting to your DNS server from a few different places on the Internet.

In general, though, I don't think there's really much of anything that anyone here can do, as your DNS server has to be fully available in order to get a certificate from a CA. You might be able to try some other CAs too, if you can find one for whom all their tests can connect to your networks, but you may run into the same sorts of problems when you go to renew unless your hosting/network provider has fixed the problems. (And my understanding is that some CAs don't want to deal with issuing for .ru domains at all.)

letsuser · June 27, 2023, 6:58am

This issue opens a question: why does reachability of one (or two) out of many authoritative DNS servers lead to certificate renewal issues? We store zones on multiple DNS servers exactly for the purpose of high availability. Why isn't LE satisfied with the replies from the other servers?

@petercooperjr DNSViz found two issues:

abisoft.spb.ru zone: The server(s) were not responsive to queries over TCP. (216.218.130.2)
ru zone: The server(s) were not responsive to queries over UDP. (2001:678:14:0:193:232:156:17)

which obviously shouldn't affect the renewal

Osiris · June 27, 2023, 8:16am

It most definitely could.

letsuser · June 27, 2023, 9:45am

Hopefully, it's legal to call for someone from LE.

@mcpherrinm any chances you or your colleagues could shed some light on this issue?

kaponir · June 27, 2023, 11:26am

Found this service Let's Debug

It shows that everything is OK with the domain, and yet when you try to issue a certificate, the same error occurs.

What else can be done in this situation?

Topic		Replies	Views
During secondary validation: DNS problem: query timed out looking up A Help	21	10428	June 6, 2020
Problems with certificate renewal Help	7	695	October 12, 2023
Renewal issue - query timed out looking up A record Help	12	793	September 18, 2021
DNS problem: query timed out looking up TXT Help	93	3637	October 19, 2023
Query timed out looking up A Help	7	378	November 24, 2022

DNS problem: query timed out looking up A

Related topics