DNS timeout with .gov.tm domains

Help
1

Most DNS checkers resolves gov.tm domains fine but letsencrypt DNS returns timeout error when trying to get a cert.
My domain is: tmgeology.gov.tm (https://dnschecker.org/#A/tmgeology.gov.tm)

I ran this command: certbot certonly --webroot -w /var/www/letsencrypt -d tmgeology.gov.tm

It produced this output:
Failed authorization procedure. tmgeology.gov.tm (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for tmgeology.gov.tm

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: tmgeology.gov.tm
    Type: None
    Detail: DNS problem: query timed out looking up A for
    tmgeology.gov.tm

My web server is: Nginx 1.16

The operating system my web server runs on is: ubuntu 16.04

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

The version of my client is: 0.27.0

1 Like
2

Strange. I ran Unboundtest.com a few times (for example https://unboundtest.com/m/A/tmgeology.gov.tm/IRF6WVCP), which is using the same resolver (and configuration as far as I know) as the Let’s Encrypt validation servers and all queries were fine.

Do you get the time out every time when you request a certificate or just sometimes?

1 Like
3

I get the timeout error every time.

1 Like
4

Hi @alashow

your name servers are critical buggy, see https://check-your-website.server-daten.de/?q=tmgeology.gov.tm

2020-07-11.tmgeology.gov.tm
2020-07-11.tmgeology.gov.tm426×631 9.41 KB

Explantations:

X Fatal error: Nameserver doesn't support TCP connection: web1.telecom.tm / 217.174.238.53: Timeout

Authoritative name servers must support TCP connections.

X Nameserver Timeout checking Echo Capitalization: ns-d1.tm
X Nameserver Timeout checking Echo Capitalization: ns-l1.tm
X Nameserver Timeout checking Echo Capitalization: web1.telecom.tm / 217.174.238.53
X Nameserver Timeout checking EDNS512: ns-l1.tm
X Nameserver Timeout checking EDNS512: web1.telecom.tm / 217.174.238.53

Timeouts checking Echo Capitalization is critical.

And the zone definition is curious buggy.

dig NS tmgeology.gov.tm. @ns-a1.tm.
gov.tm. 86400 IN NS webns1.telecom.tm.
gov.tm. 86400 IN NS webns2.telecom.tm.

but

dig NS tmgeology.gov.tm. @webns1.telecom.tm.
;; QUESTION SECTION:
;tmgeology.gov.tm. IN NS

;; AUTHORITY SECTION:
gov.tm. 3600 IN SOA web1.telecom.tm. andrey.telecom.tm. 2016081609 3600 3600 604800 86400

with no answer. Should show the same answer.

And querying that web1.telecom.tm has sometimes a timeout.

May be these are regional filters.

4 Likes
5

That is, maybe these services work reliably for people using networks inside Turkmenistan, but not for people using networks elsewhere (including the Let's Encrypt CA).

1 Like
6

I didn’t know Unboundtest was hosted in Turkmenistan? :thinking: :wink:

1 Like
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.