DNS problem: query timed out looking up CAA for tk

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: eradanenov.tk

I ran this command: sudo certbot

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): eradanenov.tk
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for eradanenov.tk
Waiting for verification...
Challenge failed for domain eradanenov.tk
http-01 challenge for eradanenov.tk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: eradanenov.tk
   Type:   dns
   Detail: DNS problem: query timed out looking up CAA for tk

My web server is (include version): nginx/1.16.1

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0

Hi @chainhead

that’s a known problem. The tk zone has badly configured name servers. And you use freenom, these name servers are bad too - https://check-your-website.server-daten.de/?q=eradanenov.tk

X Fatal error: Nameserver doesn’t support TCP connection: a.ns.tk: Fatal error (0)
X Fatal error: Nameserver doesn’t support TCP connection: b.ns.tk: Fatal error (0)
X Fatal error: Nameserver doesn’t support TCP connection: c.ns.tk: Fatal error (0)
X Fatal error: Nameserver doesn’t support TCP connection: d.ns.tk: Fatal error (0)
A Good: Nameserver supports TCP connections: 4 good Nameserver
A Good: Nameserver supports Echo Capitalization: 4 good Nameserver
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns01.freenom.com
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns02.freenom.com
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns03.freenom.com
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns04.freenom.com

Name servers without TCP-support -> that’s bad.

You don’t have a CAA record.

If it is possible, create one CAA with

11. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
www.eradanenov.tk 0 no CAA entry found 1 0
eradanenov.tk 0 no CAA entry found 1 0
tk 0 no CAA entry found 1 0

eradanenov.tk as domain name and letsencrypt.org as value.

Then the tk CAA isn’t checked.

PS: Unboundtest

https://unboundtest.com/m/CAA/tk/HSZ2JZ4O

shows a timeout too:

Query results for CAA tk

Response:
;; opcode: QUERY, status: SERVFAIL, id: 22931
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

Letsencrypt uses an Unbound-instance with the same configuration.

uh oh…! Any other cheap (==free) options you could recommend?

For testing purposes, you can use dynv6.com (no, it is not limited to IPv6). And also https://freedns.afraid.org/ works if you choose some unpopular domain (less than 100 hosts in use) from the full list: https://freedns.afraid.org/domain/registry/ - but in general their DNS setup is shaky, too.

1 Like

If the project is minimal important, I wouldn’t use a free service.

Free services have often limitations, sometimes they are hidden. Sample: You have a “free” domain, but everyone can create subdomains with that domain name -> that hits the Letsencrypt subdomain limit. Or you have a “free” domain, someone want’s to use that domain and pays -> your domain is gone.

And you may have such problems like not working name servers.

Thank you @JuergenAuer, @patrakov for your responses. This is a project for demo purposes only - expected to be up for a few months only. My idea was to use a free option initially and then a paid one once the demo is done.

If you’re using a Freenom domain, you could still use Cloudflare for DNS–they’re free, and they’re generally considered to be pretty good (I’ve been happy with them for the last few years).