DNS timeouts with one DNS provider

Help
1

We have issues with domains for our customers using a specific DNS provider. I have been able to reproduce it with a random domain there.

This only happens with 1 DNS provider (syse.no) and we have been in contact with them and they do not experience these issues and isn't able to troubleshoot/reproduce it, they believe the issue must be with Let's Encrypt.

It's also not consistent, sometimes it works, sometimes it doesn't.

The issue we have experienced is timeouts when looking for CAA records but sometimes also for A and AAAA records.

Last line says it failed to download from the standalone server, but I can see it requested these and got 200 back, generic message for failures?

I have only been able to reproduce a timeout with dig towards their DNS once.

How can we troubleshoot this and check if it's a issue with Let's Encrypt, the DNS provider or even at our end?

Domain: testdomainsyse2.mystore3.no and www.testdomainsyse2.mystore3.no

I ran this command: docker run -t --rm -p 443:443 -p 80:80 --name certbot -v /var/log/letsencrypt:/var/log/letsencrypt -v Removed:/etc/letsencrypt -v /var/lib/letsencrypt:/var/lib/letsencrypt -v /var/www/:/var/www/letsencrypt certbot/certbot certonly -vvv --standalone --keep-until-expiring --noninteractive --preferred-challenges http --expand -d testdomainsyse2.mystore3.no -d www.testdomainsyse2.mystore3.no

My web server is (include version): standalone

The operating system my web server runs on is (include version): Amazon Linux 2

My hosting provider, if applicable, is: Ourself/AWS.

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot version: 1.25.0

I may have removed more than I need to from the logs and tried to pick out the issues and not everything that went OK since the log is long. If more is required let me know.
It produced this output:

...
2022-04-25 07:57:24,418:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/Removed HTTP/1.1" 200 696
2022-04-25 07:57:24,421:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 25 Apr 2022 07:57:24 GMT
Content-Type: application/json
Content-Length: 696
Connection: keep-alive
Boulder-Requester: 25159366
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 01027F7zujBBYaBqhycCMa-xlyvSoWBrJyRIf7W6aW97YPw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "testdomainsyse2.mystore3.no"
  },
  "status": "invalid",
  "expires": "2022-05-02T07:56:52Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: query timed out looking up A for testdomainsyse2.mystore3.no; DNS problem: query timed out looking up AAAA for testdomainsyse2.mystore3.no",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/Removed/Removed",
      "token": "Removed",
      "validated": "2022-04-25T07:56:53Z"
    }
  ]
}
...
2022-04-25 07:57:27,773:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/Removed HTTP/1.1" 200 1422
2022-04-25 07:57:27,773:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 25 Apr 2022 07:57:27 GMT
Content-Type: application/json
Content-Length: 1422
Connection: keep-alive
Boulder-Requester: 25159366
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 01029VarU7YlWuB2Bunh5cbbUBGchT_6cpgKlCv2DXyhYAo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.testdomainsyse2.mystore3.no"
  },
  "status": "invalid",
  "expires": "2022-05-02T07:56:52Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: query timed out looking up CAA for www.testdomainsyse2.mystore3.no",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/Removed/Removed",
      "token": "",
      "validationRecord": [
        {
          "url": "http://www.testdomainsyse2.mystore3.no/.well-known/acme-challenge/Removed",
          "hostname": "www.testdomainsyse2.mystore3.no",
          "port": "80",
          "addressesResolved": [
            "54.195.240.169",
            "52.17.124.116"
          ],
          "addressUsed": "54.195.240.169"
        },
        {
          "url": "https://www.testdomainsyse2.mystore3.no/.well-known/acme-challenge/Removed",
          "hostname": "www.testdomainsyse2.mystore3.no",
          "port": "443",
          "addressesResolved": [
            "54.195.240.169",
            "52.17.124.116"
          ],
          "addressUsed": "54.195.240.169"
        }
      ],
      "validated": "2022-04-25T07:56:53Z"
    }
  ]
}
...
2022-04-25 07:57:27,774:INFO:certbot._internal.auth_handler:Challenge failed for domain www.testdomainsyse2.mystore3.no
2022-04-25 07:57:27,774:INFO:certbot._internal.auth_handler:http-01 challenge for testdomainsyse2.mystore3.no
2022-04-25 07:57:27,775:INFO:certbot._internal.auth_handler:http-01 challenge for www.testdomainsyse2.mystore3.no
2022-04-25 07:57:27,775:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: testdomainsyse2.mystore3.no
  Type:   dns
  Detail: DNS problem: query timed out looking up A for testdomainsyse2.mystore3.no; DNS problem: query timed out looking up AAAA for testdomainsyse2.mystore3.no

  Domain: www.testdomainsyse2.mystore3.no
  Type:   dns
  Detail: DNS problem: query timed out looking up CAA for www.testdomainsyse2.mystore3.no

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
1 Like
2

at the very least we need to know the domain name that gives you the error.

most of the times this kind of error is resolved by either switching dns provider or just trying again and hoping it will work better.

3 Likes
3

These are hosted by that provider and gives the same response

1 Like
4

For example, testdomainsyse2.mystore3.no | DNSViz also sees one of the DNS servers unresponsive:

mystore3.no zone: The server(s) were not responsive to queries over TCP. (2001:840:4245::8a)

So probably a DNS (connectivity) issue.

5 Likes
5

Sounds like you should consider switching DNS providers (OR adding more into the mix).

4 Likes
6

Thanks for the tool, were able to reproduce it with it at the same time as we hit the issues with let's encrypt.

As for these, it's not our domains but our customers. It is however a option to ask them to move, but that isn't up to me but I will present it as a option in case the provider is unable to resolve the issue.

2 Likes
7

Is this mystore3.no or mystore4.no or both?

Because you can probably avoid this by telling your client to use a cname to clientname.mycompanyusercontent.example or similar.

2 Likes
8

Ah sorry, yes all of those are us. This was just a example domain that we have there that was easy to control. We do e-commerce and customers have their domains pointing to us.

We also found a timeframe it was more prominent to happen. I have gotten a reply after providing this and they are now going to look into it

3 Likes
9

I have now gotten a reply from the provider saying they have pushed a fix, I can confirm we no longer experience the issue, leaving the solved marker where it is as it was correct that the issue was the DNS from the provider.

Thanks everyone here for the help troubleshooting this issue.

4 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.