DNS problem SERVFAIL looking up A for sub.domain.de

Help
1

Letsencrypt worked for a long time, but since around two or three weeks I cannot renew my cert anymore. There is always this error “DNS problem: query timed out looking up A for …”.

As I am using a dyndns provider, might the issue be related to the upper domain? I dont know what to do. It worked all the time.

My domain is: braendlin.syno-ds.de and other subdomains at xxx.braendlin.syno-ds.de

I ran this command:

Command

/usr/bin/certbot certonly --non-interactive --rsa-key-size 4096 --text --agree-tos --allow-subset-of-names --cert-name braendlin.syno-ds.de --email s.braendlin@posteo.de --webroot -w /var/omvconf/.nginx/lewebroot --preferred-challenges http -d braendlin.syno-ds.de,ffsync.braendlin.syno-ds.de,emby.braendlin.syno-ds.de,vpn.braendlin.syno-ds.de,collabora.braendlin.syno-ds.de

It produced this output:

Log output

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for braendlin.syno-ds.de
http-01 challenge for ffsync.braendlin.syno-ds.de
http-01 challenge for emby.braendlin.syno-ds.de
http-01 challenge for vpn.braendlin.syno-ds.de
http-01 challenge for collabora.braendlin.syno-ds.de
Using the webroot path /var/omvconf/.nginx/lewebroot for all unmatched domains.
Waiting for verification…
Challenge failed for domain braendlin.syno-ds.de
Challenge failed for domain collabora.braendlin.syno-ds.de
Challenge failed for domain ffsync.braendlin.syno-ds.de
Challenge failed for domain vpn.braendlin.syno-ds.de
Cleaning up challenges
Performing the following challenges:
http-01 challenge for emby.braendlin.syno-ds.de
Using the webroot path /var/omvconf/.nginx/lewebroot for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/braendlin.syno-ds.de/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/braendlin.syno-ds.de/privkey.pem
    Your cert will expire on 2019-02-08. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): debian 9

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

2

Please show the tail -n 99 from the /var/log/letsencrypt/letsencrypt.log file.

3

Like @rg305 I would like to see the exact error message presented by certbot too. Because I’m not seeing it in your output.

Also, was the use of --allow-subset-of-names a conscious choice? Because now you have three certificates just for emby.braendlin.syno-ds.de. Please be aware of the Rate Limits.

From my point of view, I’m getting an IP address for all of your (sub)domains. So I’m not seeing a SERVFAIL.

4

Unfortunately tail -n 99 did not show any error only debug. Nevertheless I have extracted the log from yesterday.

Summary

2018-11-10 23:26:10,230:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/We_oqMwQputNh21M3D_0SmyHMi1bmVLHMniKsZAVz7k.
2018-11-10 23:26:10,398:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /acme/authz/We_oqMwQputNh21M3D_0SmyHMi1bmVLHMniKsZAVz7k HTTP/1.1” 200 1684
2018-11-10 23:26:10,400:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1684
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”
Replay-Nonce: vHVf2l0aGl36Wc0y7FqQxG7_qwZKKIkGTYk0MsY3640
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 10 Nov 2018 22:26:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 10 Nov 2018 22:26:10 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “braendlin.syno-ds.de
},
“status”: “invalid”,
“expires”: “2018-11-17T22:25:38Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:dns”,
“detail”: “DNS problem: SERVFAIL looking up A for braendlin.syno-ds.de”,
“status”: 400
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/We_oqMwQputNh21M3D_0SmyHMi1bmVLHMniKsZAVz7k/9163222418”,
“token”: “GceHpHSNjufUnYaWOE2jbTzd8_RWdGARbazsAhKokOI”,
“validationRecord”: [
{
“url”: “http://braendlin.syno-ds.de/.well-known/acme-challenge/GceHpHSNjufUnYaWOE2jbTzd8_RWdGARbazsAhKokOI”,
“hostname”: “braendlin.syno-ds.de”,
“port”: “80”
}
]
},
{
“type”: “tls-sni-01”,
“status”: “invalid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/We_oqMwQputNh21M3D_0SmyHMi1bmVLHMniKsZAVz7k/9163222419”,
“token”: “eXVDHNqlLrT9UHkmEyFyT9Q_Jx_MtkKxSEvLlowXJU0”
},
{
“type”: “dns-01”,
“status”: “invalid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/We_oqMwQputNh21M3D_0SmyHMi1bmVLHMniKsZAVz7k/9163222420”,
“token”: “W8n3zJl0E1ys4fMGkCND1g81eX9rIFPFMWH0EEJWPSw”
},
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/We_oqMwQputNh21M3D_0SmyHMi1bmVLHMniKsZAVz7k/9163222421”,
“token”: “wBD06zwRmwCjD3m0MKjG4eTwpOoZo8w8v_u00raLl7g”
}
],
“combinations”: [
[
0
],
[
1
],
[
3
],
[
2
]
]
}
2018-11-10 23:26:10,401:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {‘token’: ‘wBD06zwRmwCjD3m0MKjG4eTwpOoZo8w8v_u00raLl7g’, ‘uri’: ‘https://acme-v01.api.letsencrypt.org/acme/challenge/We_oqMwQputNh21M3D_0SmyHMi1bmVLHMniKsZAVz7k/9163222421’, ‘type’: ‘tls-alpn-01’, ‘status’: ‘invalid’}
2018-11-10 23:26:10,402:WARNING:certbot.auth_handler:Challenge failed for domain braendlin.syno-ds.de
2018-11-10 23:26:10,403:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/BHEiuRx-IJ9nkubkdTP71YPchlpJ2ZDWwISYgwGarqc.
2018-11-10 23:26:10,581:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /acme/authz/BHEiuRx-IJ9nkubkdTP71YPchlpJ2ZDWwISYgwGarqc HTTP/1.1” 200 1719
2018-11-10 23:26:10,583:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1719
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”
Replay-Nonce: cM0GXNJvLzosRAILYOjcgelFrPSWSoX4pZDziPqP75Q
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 10 Nov 2018 22:26:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 10 Nov 2018 22:26:10 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “ffsync.braendlin.syno-ds.de
},
“status”: “invalid”,
“expires”: “2018-11-17T22:25:38Z”,
“challenges”: [
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/BHEiuRx-IJ9nkubkdTP71YPchlpJ2ZDWwISYgwGarqc/9163222481”,
“token”: “Op4MvBPTpyNSWhip4mG6NAaYhDBfSNkfo7awIADpUgI”
},
{
“type”: “tls-sni-01”,
“status”: “invalid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/BHEiuRx-IJ9nkubkdTP71YPchlpJ2ZDWwISYgwGarqc/9163222482”,
“token”: “53StO5OmnMoAcSpN480BlMkEKJJRbdsO9KLigYquwi8”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:dns”,
“detail”: “DNS problem: query timed out looking up A for ffsync.braendlin.syno-ds.de”,
“status”: 400
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/BHEiuRx-IJ9nkubkdTP71YPchlpJ2ZDWwISYgwGarqc/9163222483”,
“token”: “JBt-QuajXv9cyTHohW-FH3EwaV-cd7PnhOx7G_SXgW8”,
“validationRecord”: [
{
“url”: “http://ffsync.braendlin.syno-ds.de/.well-known/acme-challenge/JBt-QuajXv9cyTHohW-FH3EwaV-cd7PnhOx7G_SXgW8”,
“hostname”: “ffsync.braendlin.syno-ds.de”,
“port”: “80”
}
]
},
{
“type”: “dns-01”,
“status”: “invalid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/BHEiuRx-IJ9nkubkdTP71YPchlpJ2ZDWwISYgwGarqc/9163222484”,
“token”: “SolwlCwdyM1nWa3tdon4iVPeCiTl7Ap8I3C3kO7Q-1I”
}
],
“combinations”: [
[
0
],
[
2
],
[
1
],
[
3
]
]
}
2018-11-10 23:26:10,584:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {‘token’: ‘Op4MvBPTpyNSWhip4mG6NAaYhDBfSNkfo7awIADpUgI’, ‘uri’: ‘https://acme-v01.api.letsencrypt.org/acme/challenge/BHEiuRx-IJ9nkubkdTP71YPchlpJ2ZDWwISYgwGarqc/9163222481’, ‘type’: ‘tls-alpn-01’, ‘status’: ‘invalid’}
2018-11-10 23:26:10,585:WARNING:certbot.auth_handler:Challenge failed for domain ffsync.braendlin.syno-ds.de
2018-11-10 23:26:10,585:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/ojHWgZ-iAl-XzND27hVE3hTGtcrvjYxtLGZ7UGQS360.
2018-11-10 23:26:10,765:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /acme/authz/ojHWgZ-iAl-XzND27hVE3hTGtcrvjYxtLGZ7UGQS360 HTTP/1.1” 200 1731
2018-11-10 23:26:10,766:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1731
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”
Replay-Nonce: eBHLW-nSZmO8kCQX47aL4fiE9jRmRPPP_mST4lmqZdI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 10 Nov 2018 22:26:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 10 Nov 2018 22:26:10 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “collabora.braendlin.syno-ds.de
},
“status”: “invalid”,
“expires”: “2018-11-17T22:25:39Z”,
“challenges”: [
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/ojHWgZ-iAl-XzND27hVE3hTGtcrvjYxtLGZ7UGQS360/9163222632”,
“token”: “pP-S218D4RInBDHx9Xgar7NVKml15BSw9kaL67nSH_A”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:dns”,
“detail”: “DNS problem: query timed out looking up A for collabora.braendlin.syno-ds.de”,
“status”: 400
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/ojHWgZ-iAl-XzND27hVE3hTGtcrvjYxtLGZ7UGQS360/9163222633”,
“token”: “MA8efHE7NDIZkdL5Lbv9yJh5LPxb4sNUcTYf3ErwiFI”,
“validationRecord”: [
{
“url”: “http://collabora.braendlin.syno-ds.de/.well-known/acme-challenge/MA8efHE7NDIZkdL5Lbv9yJh5LPxb4sNUcTYf3ErwiFI”,
“hostname”: “collabora.braendlin.syno-ds.de”,
“port”: “80”
}
]
},
{
“type”: “dns-01”,
“status”: “invalid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/ojHWgZ-iAl-XzND27hVE3hTGtcrvjYxtLGZ7UGQS360/9163222634”,
“token”: “qe-D9mMfpX2eA4NjFDIeqR1H6if3f5l7EFjRYsOMoz4”
},
{
“type”: “tls-sni-01”,
“status”: “invalid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/ojHWgZ-iAl-XzND27hVE3hTGtcrvjYxtLGZ7UGQS360/9163222635”,
“token”: “-2h99Uo62GFs_4X5Xsv6M8TGK6t8sDdV5RL-_CCp-yA”
}
],
“combinations”: [
[
0
],
[
2
],
[
1
],
[
3
]
]
}
2018-11-10 23:26:10,767:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {‘token’: ‘pP-S218D4RInBDHx9Xgar7NVKml15BSw9kaL67nSH_A’, ‘uri’: ‘https://acme-v01.api.letsencrypt.org/acme/challenge/ojHWgZ-iAl-XzND27hVE3hTGtcrvjYxtLGZ7UGQS360/9163222632’, ‘type’: ‘tls-alpn-01’, ‘status’: ‘invalid’}
2018-11-10 23:26:10,768:WARNING:certbot.auth_handler:Challenge failed for domain collabora.braendlin.syno-ds.de
2018-11-10 23:26:10,769:DEBUG:certbot.error_handler:Calling registered functions
2018-11-10 23:26:10,769:INFO:certbot.auth_handler:Cleaning up challenges
2018-11-10 23:26:10,769:DEBUG:certbot.plugins.webroot:Removing /var/omvconf/.nginx/lewebroot/.well-known/acme-challenge/GceHpHSNjufUnYaWOE2jbTzd8_RWdGARbazsAhKokOI
2018-11-10 23:26:10,770:DEBUG:certbot.plugins.webroot:Removing /var/omvconf/.nginx/lewebroot/.well-known/acme-challenge/JBt-QuajXv9cyTHohW-FH3EwaV-cd7PnhOx7G_SXgW8
2018-11-10 23:26:10,771:DEBUG:certbot.plugins.webroot:Removing /var/omvconf/.nginx/lewebroot/.well-known/acme-challenge/XyMO0RSYDkwa6NF1hEGcIj_vD4fRLWCobtbCDuUM0GA
2018-11-10 23:26:10,771:DEBUG:certbot.plugins.webroot:Removing /var/omvconf/.nginx/lewebroot/.well-known/acme-challenge/_nMtSSaFJbN6QgtMmrWT6KqhqpsDBJu_RHoYvPr8kIA
2018-11-10 23:26:10,772:DEBUG:certbot.plugins.webroot:Removing /var/omvconf/.nginx/lewebroot/.well-known/acme-challenge/MA8efHE7NDIZkdL5Lbv9yJh5LPxb4sNUcTYf3ErwiFI
2018-11-10 23:26:10,772:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2018-11-10 23:26:11,280:DEBUG:certbot.crypto_util:Generating key (4096 bits): /etc/letsencrypt/keys/0044_key-certbot.pem
2018-11-10 23:26:11,290:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0044_csr-certbot.pem
2018-11-10 23:26:11,291:DEBUG:acme.client:JWS payload:
b’{\n “resource”: “new-authz”,\n “identifier”: {\n “value”: “emby.braendlin.syno-ds.de”,\n “type”: “dns”\n }\n}’
2018-11-10 23:26:11,301:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
“payload”: “ewogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiLAogICJpZGVudGlmaWVyIjogewogICAgInZhbHVlIjogImVtYnkuYnJhZW5kbGluLnN5bm8tZHMuZGUiLAogICAgInR5cGUiOiAiZG5zIgogIH0KfQ”,
“protected”: “eyJub25jZSI6ICJBbkJzWlAtVDVyYTRfTU9GY0hyOHh1S25ubXhYVG1icUpyTW1mTFREQjJrIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7Im4iOiAiMGEwQ1RpREVzdkw0S2ZoRUpPdWx3MElpdWI4Rk1TQVVqX0VNRERSRXNjM2xXa1pLU2Vrc3kwTHl5R3NiZkhkXy1FdUpIMlhtNVlOVVZpX2N1ME1hQWd2S0xsdzNuRjdCUHRNckJnRk5rWjBMeVlTdTJERW1OcE5xVWhoa2xVNGRZaVNuNGNFTW9WREJqU1l3LUFjZWt3cjdpTkg5NWI1eWE3VFE5X3Yzeks1Rk5BUEl2QVRBSWNkVnhfT3hiellkaEpVclNSRmtuMHFNVkpndmVIVDJ5anVUR2kyMzBzUS1aVHJkN1pLVjBWX09wOUdMdE1LUTUtbTZJVEs4RlpFTXFKRXJhUEdxd0RlTHQ3b2hXbFQ5Z2lUV2ZXdVNwOW16YnY5MW9kUVpQWkFoWjMyRElkeEdYeXg2bE9YMUpyNk1COTF0YndVbjMyR3d5VFV2VXBlT19tNDAzdE5NZnJ3eEpJVlJ5MGh6Mzcxemg1NERpY3pfdEJWdXc2ZjdfdDNXRC1OengybjhicEx0b2FIZ0FveDhzbjI0YlYtT1hfUHJjMWxfLWVvUU40Yk9nTXNCRTRoRVBHNkRKVFZGVVlSNXVqQUxxSnAtRVQ1UWJBbVBhdHRVM21ZZGNlQ0UxT3oxZ2hCNFVwXzJJNC1nMGkyMlFUWWFWM0JkTVRELTNHN0VnUXBtYTh4RnBLSGJLZ3BWSWgtTTI0MDZfMk5JU1I0aWRhNm9KTnRKMEJwSWRzanVGcWpSQkdDdE5mamFHaW8wcV9nTW5Ed0h4UWpQQ0lvQjJXSUV4cGI4RkZEOFM2b0x2RFhXWEhyZE1wUE9sME9DOW4wWHJSZnM5b3ZUMHljZ3lwRy1fRUpVUW8tUmsyNVZpd3VHUnExM1ZOUGwzSTNYaTZoaktreTQ4eUUiLCAia3R5IjogIlJTQSIsICJlIjogIkFRQUIifX0”,
“signature”: “tnSVj7hiEdo8dJGPK6UVDWkl3paOWP02-5ozGI2jp4Sm8rgMcYbaMhrFRnIskbOgrOCGjTXskjiNVCctckCXp1OtsCFX59y7PRq1SpwlW3EV8ytFj0XxNSltG9TQ24Bgq5zuMAOy6Xak2yvkD5T5RQlsTYOkvP3SkLt0jt-zm_Rf6loQDISzsceW8lc_A7wck1r_OcciNWXeVNrBVvo4fuFouU1jo5-2oBCnqZ2uIJVSw6s1oeLSJXOegfh1yqwP8jfE7sw2QklXgC8xLL8_Bi0WGljVsTsR0wJre1l4GvWE8TldE0QEeOySO6jpyGwvEqYHE0mdISGeWTgq4EQxLlGhG9-bVQn1wGk54Ihb8dEDacUuyKKjME6WAhxbZXBtYZo47nMWYw7T4gsZOmOAwtx42Yh_MCW86CwfzA-DSEh3FwiHvheOUGCql9zpdwhZbxMJBWTiuduMnU8uOw4l1Eg7IciUSWXJaHzbZRVXjP8fQaodzwto8_Iy7Ze3tpzXmkugDpo_9a2-U1Q3ysELxq2Rxxlp4Wl2F4q7G0ky_rvbGSvHDQdQjmNdVPPNnN0zSBZpYTM8qTJzNEnquy4cFR6nRD8bGhyqSLDjqFYD0yrJXO9gQbRcMytCgOdIwJSQXakCHXDUYIPtrx0tP39Fr7aiXhnBrQwp3IWcapHWuZg”
}
2018-11-10 23:26:11,487:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “POST /acme/new-authz HTTP/1.1” 201 1646
2018-11-10 23:26:11,489:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1646
Boulder-Requester: 24601571
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”
Location: https://acme-v01.api.letsencrypt.org/acme/authz/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4
Replay-Nonce: pd6U6bgxLXrK9cQGHafwFcZcQZQsIkokZ1ytQGJGpJA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 10 Nov 2018 22:26:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 10 Nov 2018 22:26:11 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “emby.braendlin.syno-ds.de
},
“status”: “valid”,
“expires”: “2018-12-10T22:05:14Z”,
“challenges”: [
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771978”,
“token”: “kbqqtoXB2YLpBoJefYv1vr4_T4HeIUcbxW9vTtPNgf8”
},
{
“type”: “http-01”,
“status”: “valid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771979”,
“token”: “XyMO0RSYDkwa6NF1hEGcIj_vD4fRLWCobtbCDuUM0GA”,
“validationRecord”: [
{
“url”: “http://emby.braendlin.syno-ds.de/.well-known/acme-challenge/XyMO0RSYDkwa6NF1hEGcIj_vD4fRLWCobtbCDuUM0GA”,
“hostname”: “emby.braendlin.syno-ds.de”,
“port”: “80”,
“addressesResolved”: [
“87.163.170.122”
],
“addressUsed”: “87.163.170.122”
}
]
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771980”,
“token”: “IRixMKEKpYljPC7swbIE3_iMMlLx4Bq4M95ceKdT9dA”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771981”,
“token”: “yw0jgI1FhBAJM95GKDEAgAU_HLsf0MyrvAHwFlhq2Gs”
}
],
“combinations”: [
[
2
],
[
0
],
[
1
],
[
3
]
]
}
2018-11-10 23:26:11,489:DEBUG:acme.client:Storing nonce: pd6U6bgxLXrK9cQGHafwFcZcQZQsIkokZ1ytQGJGpJA
2018-11-10 23:26:11,490:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {‘token’: ‘yw0jgI1FhBAJM95GKDEAgAU_HLsf0MyrvAHwFlhq2Gs’, ‘uri’: ‘https://acme-v01.api.letsencrypt.org/acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771981’, ‘type’: ‘tls-alpn-01’, ‘status’: ‘pending’}
2018-11-10 23:26:11,491:INFO:certbot.auth_handler:Performing the following challenges:
2018-11-10 23:26:11,492:INFO:certbot.auth_handler:http-01 challenge for emby.braendlin.syno-ds.de
2018-11-10 23:26:11,492:INFO:certbot.plugins.webroot:Using the webroot path /var/omvconf/.nginx/lewebroot for all unmatched domains.
2018-11-10 23:26:11,493:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/omvconf/.nginx/lewebroot/.well-known/acme-challenge
2018-11-10 23:26:11,493:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/omvconf/.nginx/lewebroot/.well-known/acme-challenge
2018-11-10 23:26:11,493:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/omvconf/.nginx/lewebroot/.well-known/acme-challenge
2018-11-10 23:26:11,494:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/omvconf/.nginx/lewebroot/.well-known/acme-challenge
2018-11-10 23:26:11,494:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/omvconf/.nginx/lewebroot/.well-known/acme-challenge
2018-11-10 23:26:11,504:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/omvconf/.nginx/lewebroot/.well-known/acme-challenge/XyMO0RSYDkwa6NF1hEGcIj_vD4fRLWCobtbCDuUM0GA
2018-11-10 23:26:11,504:INFO:certbot.auth_handler:Waiting for verification…
2018-11-10 23:26:11,504:DEBUG:acme.client:JWS payload:
b’{\n “resource”: “challenge”,\n “type”: “http-01”,\n “keyAuthorization”: “XyMO0RSYDkwa6NF1hEGcIj_vD4fRLWCobtbCDuUM0GA.V1Hrl9O3IgYQJsjysABuZ0riE62MitWsxvATHO8_5j8”\n}’
2018-11-10 23:26:11,514:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771979:
{
“payload”: “ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiLAogICJrZXlBdXRob3JpemF0aW9uIjogIlh5TU8wUlNZRGt3YTZORjFoRUdjSWpfdkQ0ZlJMV0NvYnRiQ0R1VU0wR0EuVjFIcmw5TzNJZ1lRSnNqeXNBQnVaMHJpRTYyTWl0V3N4dkFUSE84XzVqOCIKfQ”,
“protected”: “eyJub25jZSI6ICJwZDZVNmJneExYcks5Y1FHSGFmd0ZjWmNRWlFzSWtva1oxeXRRR0pHcEpBIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7Im4iOiAiMGEwQ1RpREVzdkw0S2ZoRUpPdWx3MElpdWI4Rk1TQVVqX0VNRERSRXNjM2xXa1pLU2Vrc3kwTHl5R3NiZkhkXy1FdUpIMlhtNVlOVVZpX2N1ME1hQWd2S0xsdzNuRjdCUHRNckJnRk5rWjBMeVlTdTJERW1OcE5xVWhoa2xVNGRZaVNuNGNFTW9WREJqU1l3LUFjZWt3cjdpTkg5NWI1eWE3VFE5X3Yzeks1Rk5BUEl2QVRBSWNkVnhfT3hiellkaEpVclNSRmtuMHFNVkpndmVIVDJ5anVUR2kyMzBzUS1aVHJkN1pLVjBWX09wOUdMdE1LUTUtbTZJVEs4RlpFTXFKRXJhUEdxd0RlTHQ3b2hXbFQ5Z2lUV2ZXdVNwOW16YnY5MW9kUVpQWkFoWjMyRElkeEdYeXg2bE9YMUpyNk1COTF0YndVbjMyR3d5VFV2VXBlT19tNDAzdE5NZnJ3eEpJVlJ5MGh6Mzcxemg1NERpY3pfdEJWdXc2ZjdfdDNXRC1OengybjhicEx0b2FIZ0FveDhzbjI0YlYtT1hfUHJjMWxfLWVvUU40Yk9nTXNCRTRoRVBHNkRKVFZGVVlSNXVqQUxxSnAtRVQ1UWJBbVBhdHRVM21ZZGNlQ0UxT3oxZ2hCNFVwXzJJNC1nMGkyMlFUWWFWM0JkTVRELTNHN0VnUXBtYTh4RnBLSGJLZ3BWSWgtTTI0MDZfMk5JU1I0aWRhNm9KTnRKMEJwSWRzanVGcWpSQkdDdE5mamFHaW8wcV9nTW5Ed0h4UWpQQ0lvQjJXSUV4cGI4RkZEOFM2b0x2RFhXWEhyZE1wUE9sME9DOW4wWHJSZnM5b3ZUMHljZ3lwRy1fRUpVUW8tUmsyNVZpd3VHUnExM1ZOUGwzSTNYaTZoaktreTQ4eUUiLCAia3R5IjogIlJTQSIsICJlIjogIkFRQUIifX0”,
“signature”: “jNTPgBedp84Zj59xGKev2BbETwgDe0dGPt18WhqNNZ-sFKSjj0pzfnV5CU76MXfyGGrK0NOgTe0-v8lxsqbtWKSE0H5zcQYTefT9-08AZeFAQMIVevv_C5-Qv02u1Vl3IUj21OgWxi6k8H4D-Q9yKd6WCQ-mhyIN0gX0jxfHqc6LYwe99HE0USsYgx4f466mipMiY-L3ayodKxEfJez3azIf40OE2ZUMge0cJw_TiAUPgrahcsRfMBodvcN-VDlwsAUfZpUkcXpwmEbbjyNEChEkXoJ6amm6CK94kqXMMT-EygcgdbUVB5A-gbHwuAmw-Hq3IdHUPJEo3EmbQFda2FiIY63A-n2R8MFT2hfmCp9dDec-0pYmfXN_mCU8qOG7qqq8dADt8TC3JGk9TmlaqCaao6nGtp0tb-TyoBZNbD5gq4PhN-d6UfWwprgX-kMIgo6N24TtBVFgvhL53d1_8i4WGDze8cqLyZ1JvfCazD0Lilw8AqcKSR1wjrA0XO4E7rM8i7xn-6dWXAo4vOyODLiESY6grQYUaOHWbmJ-sQWIcyvbQ4DLq_-6EZ_dvWZNNdQioYa-OEMB6FlGpnbu9w4OHt61V7B0ebgx1DFIHZ4HmWjUpYt9EMS303FEfIedkFL8rooPTUQipsmLlrezmWhrX4WCsvN26UHhDyYGOMs”
}
2018-11-10 23:26:11,696:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “POST /acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771979 HTTP/1.1” 202 550
2018-11-10 23:26:11,697:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 550
Boulder-Requester: 24601571
Link: https://acme-v01.api.letsencrypt.org/acme/authz/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4;rel=“up”
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771979
Replay-Nonce: 4jUorK6ZhnIOvqvKIBz0tLrBQ-k0FTgrR2ZAJXxqs7Y
Expires: Sat, 10 Nov 2018 22:26:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 10 Nov 2018 22:26:11 GMT
Connection: keep-alive

{
“type”: “http-01”,
“status”: “valid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771979”,
“token”: “XyMO0RSYDkwa6NF1hEGcIj_vD4fRLWCobtbCDuUM0GA”,
“validationRecord”: [
{
“url”: “http://emby.braendlin.syno-ds.de/.well-known/acme-challenge/XyMO0RSYDkwa6NF1hEGcIj_vD4fRLWCobtbCDuUM0GA”,
“hostname”: “emby.braendlin.syno-ds.de”,
“port”: “80”,
“addressesResolved”: [
“87.163.170.122”
],
“addressUsed”: “87.163.170.122”
}
]
}
2018-11-10 23:26:11,697:DEBUG:acme.client:Storing nonce: 4jUorK6ZhnIOvqvKIBz0tLrBQ-k0FTgrR2ZAJXxqs7Y
2018-11-10 23:26:14,699:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4.
2018-11-10 23:26:14,873:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /acme/authz/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4 HTTP/1.1” 200 1646
2018-11-10 23:26:14,874:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1646
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”
Replay-Nonce: I7YXiq5TkUwUW-RWKYRxRElGCvwN4tCIG9QIPPBPiJk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 10 Nov 2018 22:26:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 10 Nov 2018 22:26:14 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “emby.braendlin.syno-ds.de
},
“status”: “valid”,
“expires”: “2018-12-10T22:05:14Z”,
“challenges”: [
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771978”,
“token”: “kbqqtoXB2YLpBoJefYv1vr4_T4HeIUcbxW9vTtPNgf8”
},
{
“type”: “http-01”,
“status”: “valid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771979”,
“token”: “XyMO0RSYDkwa6NF1hEGcIj_vD4fRLWCobtbCDuUM0GA”,
“validationRecord”: [
{
“url”: “http://emby.braendlin.syno-ds.de/.well-known/acme-challenge/XyMO0RSYDkwa6NF1hEGcIj_vD4fRLWCobtbCDuUM0GA”,
“hostname”: “emby.braendlin.syno-ds.de”,
“port”: “80”,
“addressesResolved”: [
“87.163.170.122”
],
“addressUsed”: “87.163.170.122”
}
]
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771980”,
“token”: “IRixMKEKpYljPC7swbIE3_iMMlLx4Bq4M95ceKdT9dA”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/jonu-SwvY04iTMjF_zz38oTOAPwBWExwnYoEUHXlLV4/9162771981”,
“token”: “yw0jgI1FhBAJM95GKDEAgAU_HLsf0MyrvAHwFlhq2Gs”
}
],
“combinations”: [
[
2
],
[
0
],
[
1
],
[
3
]
]
}

5

When is the last time you tried? Because Unboundtest.com (which is a simple implementation of the DNS resolver used by Let’s Encrypt) doesn’t give any errors currently: https://unboundtest.com/m/A/braendlin.syno-ds.de/T2WLF6DL

Also, I didn’t find any fatal errors regarding DNSSEC: http://dnsviz.net/d/braendlin.syno-ds.de/

6

Two days ago. But I cannot find any issue, too. And it worked in the past quite well. Three days before not a single domain got challenged successfully. Then only emby subdomain. I do not understand the inconsistency…

7

Hi @godfuture

one thing I don't understand.

Checking DNS Checker - DNS Check Propagation Tool all works.

Checking DNS Checker - DNS Check Propagation Tool nothing works.

But checking the same with two of my own domains (server-daten.de + www.server-daten-de) I've get NS-entries with the subdomain.

Perhaps you should ask your dns provider.

PS: Oh, what's that?

D:\temp>nslookup -type=NS braendlin.syno-ds.de.

syno-ds.de
primary name server = localhost
responsible mail addr = root.localhost
serial = 6
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)

Checked via Windows nslookup. localhost as nameserver is really bad.

2 Likes
8

Thanks for that. I will get in contact with the provider!

9

The bad “localhost.” nameserver is only in the SOA record. It ought to be fixed, but it doesn’t cause any harm to normal DNS resolution.

🔓  syno-ds.de.  86193  NS   ns2.crns.de.
🔓  syno-ds.de.  86193  NS   h2-045.net.crns.de.

🔓  syno-ds.de.  86199  SOA  localhost. root.localhost. 6 10800 3600 604800 3600

I have a theory: What if your DNS provider has really strict rate limits? Particularly for negative responses?

I’ve seen one of the IPs start dropping all of my queries for a little while after I sent it maybe 1-2 dozen queries.

Either there was an outage, or my IP got temporarily banned.

If you’re validating a bunch of hostnames, Let’s Encrypt will send them more traffic than I did.

3 Likes
10

I guess you made a good point, but I don’t exactly understand it.

Does this have to do with the DNS server that is configured on my server’s network connection? If yes, in my case that would be the ISP. I did not change this recently. When I try to resolve the domain names on my server, all IPs are fine. Means, I get my WAN IP for all of my domains incl. the subs.

11

Trying to issue the certificate today, two domains get challenged, the rest is still failing. But why did letsencrypt this time challenge two instead of one? LE_dayAfter.txt (159.2 KB)

Interesting is that the IP address of the emby subdomain is resolved wrong. It is the previous (Dyn) IP address, but not the current. Others did not resolve at all. Isn’t that an issue of Letsencrypt dns server?

Summary

IMPORTANT NOTES:

12

Do you NOT see a problem?

And this still returns localhost:

13

I mean the domain's authoritative DNS servers -- ns2.crns.de and h2-045.net.crns.de.

The most likely way that Let's Encrypt's resolver would get that IP address is if one or more of the domain's authoritative DNS servers said it was the correct address. Maybe they take a while to fully deploy record updates, or had an issue.

I still think you should investigate whether they have aggressive rate limiting or fail to respond for other reasons.

DNSViz also thinks they frequently fail to respond:

http://dnsviz.net/d/syno-ds.de/W-t9Xg/dnssec/

Both nameservers also seem to be hosted in the same place, making the domain more likely to fail to resolve if there is some sort of outage.

It doesn't affect normal resolution, though.

14

There’s a SERVFAIL and others are not seeing it. That could be a DNS social engineering attack, a subtle man-in-the-middle interception intended to hit certain targeted individuals, but not the general public.

15

The point is, I do not understand why my ISP (recursive) DNS server responds with a fine IP. My (sub) domains TTL timer are short enough such that recursive DNS servers (my ISP) would have to refresh their DNS cache resolving from authoritative DNS servers. But LE still seems to have problems resolving those.

The dyndns provider does not see any issue. No changes so far in his infrastructure. Strange thing. My setup suddenly got broken. Lets assume you are right. How to establish the man-in-the-middle? I mean what might have been technically done to trick LE pretending being me?

16

@godfuture
LE doesn’t always get along with dyndns all that well. I don’t know what the issues were, but at some point in time, before TOR, i2p, etc. ever came on the scene, dyndns was essentially the “dark web,” and the cops frequently busted people with personal servers.

17

But does your traffic profile and ISP resolver setup result in dozens of queries being sent from the same source IP address to the authoritative servers?

18

Good question. But do I have to the chance to see the queries fired by the ISP against the authoritatives? I think not, right?

I tried to check the authoritative DNS servers directly by interactive mode of nslookup. It always returns an IP:
user@host:~$ nslookup braendlin.syno-ds.de ns2.crns.de
Server: ns2.crns.de
Address: 83.246.76.144#53

Name: braendlin.syno-ds.de
Address: 217.247.179.253

user@host:~$ nslookup braendlin.syno-ds.de h2-045.net.crns.de
Server: h2-045.net.crns.de
Address: 83.246.77.45#53

Name: braendlin.syno-ds.de
Address: 217.247.179.253

I am totally stuck here…why LE is reporting SERVFAIL? Whatever I do, I get an IP that is correct. This must be an issue of LE…Does someone know how I could proof?

19

That was one query, to each nameserver. What if you send more? What if you send CAA queries?

Edit: Let’s Encrypt, DNSViz, and I have all reported issues with the domain. It’s not isolated to one party. Though it could be isolated to one backbone ISP for all I know.

20

nslookup braendlin.syno-ds.de ns2.crns.de
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 83.246.76.144

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

nslookup braendlin.syno-ds.de h2-045.net.crns.de
Server: UnKnown
Address: 83.246.77.45

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for braendlin.syno-ds.de

And from some other IPs in the same source network it resolves properly.

I’m thinking there is some sort of load-balancer in line that is not working correctly.
And depending if your IP goes left or right it works or fails.