DNS problem: query timed out looking up CAA for tk

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: eradanenov.tk

I ran this command: sudo certbot

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): eradanenov.tk
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for eradanenov.tk
Waiting for verification...
Challenge failed for domain eradanenov.tk
http-01 challenge for eradanenov.tk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: eradanenov.tk
   Type:   dns
   Detail: DNS problem: query timed out looking up CAA for tk

My web server is (include version): nginx/1.16.1

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0

Hi @chainhead

that’s a known problem. The tk zone has badly configured name servers. And you use freenom, these name servers are bad too - https://check-your-website.server-daten.de/?q=eradanenov.tk

X Fatal error: Nameserver doesn’t support TCP connection: a.ns.tk: Fatal error (0)
X Fatal error: Nameserver doesn’t support TCP connection: b.ns.tk: Fatal error (0)
X Fatal error: Nameserver doesn’t support TCP connection: c.ns.tk: Fatal error (0)
X Fatal error: Nameserver doesn’t support TCP connection: d.ns.tk: Fatal error (0)
A Good: Nameserver supports TCP connections: 4 good Nameserver
A Good: Nameserver supports Echo Capitalization: 4 good Nameserver
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns01.freenom.com
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns02.freenom.com
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns03.freenom.com
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns04.freenom.com

Name servers without TCP-support -> that’s bad.

You don’t have a CAA record.

If it is possible, create one CAA with

11. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
www.eradanenov.tk 0 no CAA entry found 1 0
eradanenov.tk 0 no CAA entry found 1 0
tk 0 no CAA entry found 1 0

eradanenov.tk as domain name and letsencrypt.org as value.

Then the tk CAA isn’t checked.

PS: Unboundtest

https://unboundtest.com/m/CAA/tk/HSZ2JZ4O

shows a timeout too:

Query results for CAA tk

Response:
;; opcode: QUERY, status: SERVFAIL, id: 22931
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

Letsencrypt uses an Unbound-instance with the same configuration.

uh oh…! Any other cheap (==free) options you could recommend?

For testing purposes, you can use dynv6.com (no, it is not limited to IPv6). And also https://freedns.afraid.org/ works if you choose some unpopular domain (less than 100 hosts in use) from the full list: https://freedns.afraid.org/domain/registry/ - but in general their DNS setup is shaky, too.

1 Like

If the project is minimal important, I wouldn’t use a free service.

Free services have often limitations, sometimes they are hidden. Sample: You have a “free” domain, but everyone can create subdomains with that domain name -> that hits the Letsencrypt subdomain limit. Or you have a “free” domain, someone want’s to use that domain and pays -> your domain is gone.

And you may have such problems like not working name servers.

Thank you @JuergenAuer, @patrakov for your responses. This is a project for demo purposes only - expected to be up for a few months only. My idea was to use a free option initially and then a paid one once the demo is done.

If you’re using a Freenom domain, you could still use Cloudflare for DNS–they’re free, and they’re generally considered to be pretty good (I’ve been happy with them for the last few years).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.