DNS query timed out

Log output: pastebin

Hmm, seems it is really a internal problem with the resolver of LE.
They cache dns data for 24 hours.

There is also a known problem with some TLDs: https://github.com/letsencrypt/letsencrypt/issues/1610

2 Likes

Yes, that bug looks the same. I also use DNSPod.

I suppose I need to wait for that bug to get fixed. :frowning:

Thanks for you help.

1 Like

You are welcome :wink:

I’m sorry that we could not solve the problem

I’m has been submit a ticket to DNSPod and ask for support, and they said it’s an server-side error by Let’s Encrypt, any idea?

When it is really a server-side problem at Let’s Encrypt then
you must wait until the developers fixed the problem.

The problem is already known and reported to the boulder team (server-side ca software).

1 Like

I could reproduce the timeout on my server with nslookup.

The error occurs when you initially try to resolve the domain.
Then my nslookup ran also into a timeout (2 sec, timeout for LE server).
When i try it a 2nd time on my server it resolve in time.

I think the expiration time of 10 seconds from DNSPod is may a problem.

Could you try to rerun the command and then directly after the result again ?
Or did you tried this already ?
Or you could try to increase the TTL of the Record.

1 Like

Got another problem: let’s encrypt server return 500 response for my request:

Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new registration

Is this a reproducible problem ?
This is generic error from LE server.

YES, I had met this problem for two of my friend’s domains (both hosting by DNSPod, the DNS hosting provider in China), but my domains are fine, hosting by Route53.

Have a look at the last post on github.

1 Like

A 10 second expiry time on DNS entries is sure to cause problems, especially if a service needs to check an entry a few times during a process which takes a few seconds and the caching provider honours the expiry set by the server. It also causes additional load on the servers due to more frequent lookups.

2 Likes

Additionaly to the problem with 10sec there are some nameserver that are not responding

I found that I also had a 10 second TTL on my www subdomain. That’s odd, because all the other settings had 600 second TTLs.

Anyway, I changed it yesterday, but letsencrypt still fails today.

Judging by the comments in the GitHub bug, using DNS hosted in China is a problem for everybody. I had no idea DNSPod even was in China, I just used them because DynDNS stopped being free.

Anyway, my IP address changes so rarely it might as well be static, so I might just switch back to GoDaddy and risk it (the address is bound to change while I’m travelling).

DNSPod is in China and there’s a 10 second expiry? :o
That would enable the Chinese government (and other parties) to listen on the traffic and derive what domains are being requested with less worries about DNS caching servers ruining that opportunity.

It’s possible I did it myself at some point, while I was trying to debug something. I don’t recall.

I think the best solution for now is who can to another provider should do this and, unfortunately, the others have to wait for a fix.

I’m seeing the same issue in Australia with multiple domains using NetRegistry nameservers. My self (nameserver) hosted ones are fine, as are many others.

I have same problem with my domain leavesongs.com(hosting by DNSPod). Dnspod is china’s biggest DNS hosting, so sad…

{u'status': u'invalid', u'validationRecord': [{u'url': u'http://www.leavesongs.com/.well-known/acme-challenge/rrDq5Ihs4vQqxk7NuMnBKD0tnCVGFLXCvf2tRltlRMg', u'hostname': u'www.leavesongs.com', u'addressUsed': u'133.130.100.201', u'port': u'80', u'addressesResolved': [u'133.130.100.201']}], u'keyAuthorization': u'rrDq5Ihs4vQqxk7NuMnBKD0tnCVGFLXCvf2tRltlRMg.jmTkjEFt3yv0PIqIkjlYn4A1iGHfWTl9MV5bqnKsK8M', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/2GS--3sPSORjtzuKd5y_OjqXWIxBOuCW4DKZQ0yEojY/1571552', u'token': u'rrDq5Ihs4vQqxk7NuMnBKD0tnCVGFLXCvf2tRltlRMg', u'error': {u'type': u'urn:acme:error:connection', u'detail': u'DNS query timed out'}, u'type': u'http-01'}

I’m seeing this too.

All my NetRegistry domains (four of them) are failing with an urn:acme:error:connection error:

FailedChallenges: Failed authorization procedure. example.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS query timed out

Failed authorization procedure. example.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS query timed out

Error: The server could not connect to the client to verify the domain

All my other domains, which don’t use NetRegistry DNS, are perfectly fine.

Oddly perhaps, I’m seeing a connection in my nginx logs of the LetsEncrypt server. But something else must be happening elsewhere, because it’s failing.

It’s also new(ish) problem. I’ve originally issued a certificate to the some of the domains when LetsEncrypt was in invite-beta mode. It went though fine then, and in the first days it was in public-beta. But now, it won’t work.

(I have replaced my domain with example.com)

EDIT: As a test, I just moved one of my domains across to another DNS provider. Using the same setup/server config as before, it now works. Something isn’t right with NetRegistry.