DNS timeout with .gov.tm domains

Most DNS checkers resolves gov.tm domains fine but letsencrypt DNS returns timeout error when trying to get a cert.
My domain is: tmgeology.gov.tm (https://dnschecker.org/#A/tmgeology.gov.tm)

I ran this command: certbot certonly --webroot -w /var/www/letsencrypt -d tmgeology.gov.tm

It produced this output:
Failed authorization procedure. tmgeology.gov.tm (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for tmgeology.gov.tm


  • The following errors were reported by the server:

    Domain: tmgeology.gov.tm
    Type: None
    Detail: DNS problem: query timed out looking up A for

My web server is: Nginx 1.16

The operating system my web server runs on is: ubuntu 16.04

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

The version of my client is: 0.27.0

1 Like

Strange. I ran Unboundtest.com a few times (for example https://unboundtest.com/m/A/tmgeology.gov.tm/IRF6WVCP), which is using the same resolver (and configuration as far as I know) as the Let’s Encrypt validation servers and all queries were fine.

Do you get the time out every time when you request a certificate or just sometimes?

1 Like

I get the timeout error every time.

1 Like

Hi @alashow

your name servers are critical buggy, see https://check-your-website.server-daten.de/?q=tmgeology.gov.tm


X Fatal error: Nameserver doesn’t support TCP connection: web1.telecom.tm / Timeout

Authoritative name servers must support TCP connections.

X Nameserver Timeout checking Echo Capitalization: ns-d1.tm
X Nameserver Timeout checking Echo Capitalization: ns-l1.tm
X Nameserver Timeout checking Echo Capitalization: web1.telecom.tm /
X Nameserver Timeout checking EDNS512: ns-l1.tm
X Nameserver Timeout checking EDNS512: web1.telecom.tm /

Timeouts checking Echo Capitalization is critical.

And the zone definition is curious buggy.

dig NS tmgeology.gov.tm. @ns-a1.tm.
gov.tm. 86400 IN NS webns1.telecom.tm.
gov.tm. 86400 IN NS webns2.telecom.tm.


dig NS tmgeology.gov.tm. @webns1.telecom.tm.
;tmgeology.gov.tm. IN NS

gov.tm. 3600 IN SOA web1.telecom.tm. andrey.telecom.tm. 2016081609 3600 3600 604800 86400

with no answer. Should show the same answer.

And querying that web1.telecom.tm has sometimes a timeout.

May be these are regional filters.


That is, maybe these services work reliably for people using networks inside Turkmenistan, but not for people using networks elsewhere (including the Let’s Encrypt CA).

1 Like

I didn’t know Unboundtest was hosted in Turkmenistan? :thinking: :wink:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.