DNS problem: query timed out looking up A


My domain is:
files .abisoft .spb .ru
filesb .abisoft .spb .ru

I ran this command:
certbot renew --max-log-backups 30
certbot renew -vv --dry-run

It produced this output:

Challenge failed for domain files .abisoft .spb .ru
Challenge failed for domain filesb.abisoft.spb.ru
http-01 challenge for files .abisoft .spb .ru
http-01 challenge for filesb.abisoft.spb.ru
Reporting to user: The following errors were reported by the server:

Domain: files .abisoft .spb .ru
Type:   dns
Detail: DNS problem: query timed out looking up A for files .abisoft .spb .ru; DNS problem: query timed out looking up AAAA for files .abisoft .spb .ru

Domain: filesb .abisoft .spb .ru
Type:   dns
Detail: DNS problem: query timed out looking up A for filesb .abisoft .spb .ru; DNS problem: query timed out looking up AAAA for filesb .abisoft .spb .ru

My web server is (include version):
Apache 2.4.6

The operating system my web server runs on is (include version):

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.11.0

I checked DNS A record with multiple DNS testing services - they're all able to pull the record, for example:

$ dig +short files .abisoft .spb .ru @
84 .52 .87 .17

Any help is kindly appriciated!

At least two of your authoritative nameservers are currently misbehaving (at least from my vantage point)

$ dig +short ns abisoft.spb.ru

$ dig +short files.abisoft.spb.ru @ns2.he.net
;; communications error to timed out

$ dig +short files.abisoft.spb.ru @ns3.he.net
;; communications error to timed out

I'd suggest temporarily removing misbehaving ns records and possibly contact he's support with this issue.

1 Like

Thanks for your quick reply!

That's really weird - I don't see any issues:
[root@monitor-1 conf]# dig +short files.abisoft.spb.ru @ns3.he.net
[root@monitor-1 conf]# dig +short files.abisoft.spb.ru @ns2.he.net
[root@monitor-1 conf]# dig +short files.abisoft.spb.ru @ns3.he.net
[root@monitor-1 conf]# dig +short files.abisoft.spb.ru @ns2.he.net
[root@monitor-1 conf]# dig +short files.abisoft.spb.ru @ns3.he.net
1 Like

Hmm, considering that there's no reply after a first hop in my case — my isp's network may have issues and it may be just a coincidence.

Still, try removing those two and run the certbot command again.

1 Like

Yeah, I've just discovered the same thru all of my ISPs in Russia (no issues from the US servers). Sent them the complain. Wondering why LE was affected by that..

Thanks for your help! I'll update here as soon as I get replies from my ISPs


@Nekit JFYI: one of the ISPs has reported they found a block from RKN and they made a support request to them. Interesting, that the official RKN check page (https://blocklist.rkn.gov.ru) does not show any issues with that IP


I figured this might be the case. They are known for blocking things seemingly arbitrarily…


Hello! We have the same problem. On the example of the ryzhkov. spb. ru domain:
2023/06/26 14:12:34 Domain verification results for 'ryzhkov. spb. ru': error. During secondary validation: DNS problem: query timed out looking up TXT for _acme-challenge.ryzhkov. spb. ru

Is it possible to get a list of IP addresses to check if they are blocked on the DNS side? There is a version that the problem concerns geo-domains (such as .spb.ru).

No; Let's Encrypt checks from multiple vantage points, potentially from around the world, and specifically doesn't publish them since they change regularly and because they need to ensure that clients actually own the name they're claiming to own as seen from everywhere on the Internet.


@petercooperjr can you check why ns2.he.net and ns3.he.net are not reachable from the LE infrastructure?

Only someone that works for LE could do that.

The closest thing to that is using:


I decided @petercooperjr is one of such persons :slight_smile:

unboundtest resolves my domains w/o issues

1 Like

Most users here are just volunteers, not employees of Let's Encrypt. LE employees will have "Let's Encrypt Staff" as their title next to their username.


And I decide each week to win the lottery ...
But my decision matters not; Week after week I don't win it.


(probably language barrier, they possibly meant “thought”)


I mean, I've considered applying to work there, but I'm pretty happy in my current job. I appreciate the vote of confidence that I could do so if I wanted to, though. :slight_smile:

Another tool, which I haven't seen mentioned in this thread yet, is DNSViz. In the "advanced options" for analyzing a site, you can pick a couple different "perspectives", to try getting to your DNS server from a few different places on the Internet.

In general, though, I don't think there's really much of anything that anyone here can do, as your DNS server has to be fully available in order to get a certificate from a CA. You might be able to try some other CAs too, if you can find one for whom all their tests can connect to your networks, but you may run into the same sorts of problems when you go to renew unless your hosting/network provider has fixed the problems. (And my understanding is that some CAs don't want to deal with issuing for .ru domains at all.)


This issue opens a question: why does reachability of one (or two) out of many authoritative DNS servers lead to certificate renewal issues? We store zones on multiple DNS servers exactly for the purpose of high availability. Why isn't LE satisfied with the replies from the other servers?

@petercooperjr DNSViz found two issues:

abisoft.spb.ru zone: The server(s) were not responsive to queries over TCP. (
ru zone: The server(s) were not responsive to queries over UDP. (2001:678:14:0:193:232:156:17)

which obviously shouldn't affect the renewal

It most definitely could.

1 Like

Hopefully, it's legal to call for someone from LE.

@mcpherrinm any chances you or your colleagues could shed some light on this issue?

Found this service Let's Debug

It shows that everything is OK with the domain, and yet when you try to issue a certificate, the same error occurs.

What else can be done in this situation?