Domain's name servers maybe malfunctioning

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nodokter.com

I ran this command: sudo /opt/bitnami/bncert-tool

It produced this output: An error occurred creating certificates with Let's Encrypt: private keys obtained from Let's Encrypt so making regular backups of this folder is ideal. 2021/07/28 03:58:38 No key found for account admin@nodokter.com. Generating a P256 key. 2021/07/28 03:58:38 Saved key to /opt/bitnami/letsencrypt/accounts/acme-v02.api.letsencrypt.org/admin@nodokter.com /keys/admin@nodokter.com.key 2021/07/28 03:58:39 [INFO] acme: Registering account for admin@nodokter.com 2021/07/28 03:58:40 [INFO] [nodokter.com, www.nodokter.com] acme: Obtaining bundled SAN certificate 2021/07/28 03:58:41 [INFO] [nodokter.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/16804315850 2021/07/28 03:58:41 [INFO] [www.nodokter.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/16804315870 2021/07/28 03:58:41 [INFO] [nodokter.com] acme: use tls-alpn-01 solver

My web server is (include version): Apache

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: Google Cloud

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.17.0

2 Likes

Welcome to the Let's Encrypt Community, Sam :slightly_smiling_face:

I am seeing no DNS records whatsoever for nodokter.com (not even nameservers!) using dig.

3 Likes

The domain is originally on godaddy and I just move nameservers

2 Likes

https://dnsviz.net/d/nodokter.com/dnssec/

2 Likes

could you explain this please

2 Likes

2 Likes

2 Likes

Here what I get:

dig -t NS nodokter.com

; <<>> DiG 9.16.1-Ubuntu <<>> -t NS nodokter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33039
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nodokter.com.                  IN      NS

;; Query time: 580 msec
;; SERVER: 172.17.112.1#53(172.17.112.1)
;; WHEN: Wed Jul 28 13:30:56 AWST 2021
;; MSG SIZE  rcvd: 41

But dig nodokter.com @ns-cloud-b1.googledomains.com does work. It seems mxtoolbox is reporting the DNS records OK, so could it just be that the nameserver changes haven't finished propagation yet?

4 Likes

I changed the nameservers on godaddy around 2 hours ago? I'm not sure how long it's normally supposed to take.

2 Likes

Between 4 and 24 hours by my experience as a GoDaddy user myself. :slightly_smiling_face:

3 Likes

Oh that's a long time

2 Likes

Unfortunately, such propagation times aren't that uncommon for DNS.

Fortunately, it seems to be working from my end. When I do a dig +trace nodokter.com, the DNS servers for the .com TLD are already returning the Googledomain nameservers and the trace succeeds. You might need to wait a little bit longer (or not) for global propagation though.

4 Likes

You might need to turn DNSSEC off and then on again.

https://www.godaddy.com/whois/results.aspx?checkAvail=1&domain=nodokter.com&domainName=nodokter.com&seeUnderlyingRegistryData=true

2 Likes

I dont see an option to turn off dnssec

2 Likes

It might not be necessary once propagation completes. We shall see.

2 Likes

@griffin As I understand @sam_nodokter moved from GoDaddy to Googledomains. That should mean any action taken at GoDaddys DNS zone editor should not influence the DNS once it has been moved to Googledomains I think. Note that I'm not fully certain of this, but sounds logical to me.

I think if there are DNSSEC errors due to outdated DS records at the parent DNS zone, I believe the current DNS operator should delete these. It would make sense that if a domain has been transfered, the previous DNS zone editor doesn't have any rights to the parent DNS zone any longer, as those permissions have been transfered to the new DNS zone editor.

So in this case I believe Googledomains should be the DNS provider which should be able (somehow..) to remove or update the DS record in the parent zone.

3 Likes

So who is the current domain registrar?

2 Likes

This is what I see:

dig +trace nodokter.com

; <<>> DiG 9.16.1-Ubuntu <<>> +trace nodokter.com

{ROOT SERVERS REMOVED FROM OUTPUT}

nodokter.com.		172800	IN	NS	ns-cloud-b1.googledomains.com.
nodokter.com.		172800	IN	NS	ns-cloud-b2.googledomains.com.
nodokter.com.		172800	IN	NS	ns-cloud-b3.googledomains.com.
nodokter.com.		172800	IN	NS	ns-cloud-b4.googledomains.com.
nodokter.com.		86400	IN	DS	2371 13 2 D983C3E643E304FB039271A205B193441E7F13CE85221C9BE01C88E0 BB873662
nodokter.com.		86400	IN	RRSIG	DS 8 2 86400 20210804061754 20210728050754 39343 com. qCcGZhxbNrkfgN01cJjCUdwVGdChz2z3i5qlATXBZOsTk/GIL9OfQKh5 lArkg3Fgefo/sQa36HABdda1w04B+Gglsh7MH4UpOhMHDWP5hjOpVl/W pd8RbNENlGG68U9Whp7TFTjJwRdaJMNm7LzHnLouH57F4Q4aaVXpY+e6 2QJlGtpjy0V+VdyKQxbLMJX7fkcwlRmVkpgsiPA1EWnU7g==
;; Received 578 bytes from 192.42.93.30#53(g.gtld-servers.net) in 36 ms

nodokter.com.		300	IN	A	34.101.173.188
nodokter.com.		300	IN	RRSIG	A 8 2 300 20210818042533 20210727042533 26055 nodokter.com. i+PpMLATLzcoqKuG+dXCOKCMHD25bEmtg6V3HFJQmnc3PBse7z+jQInK cZByhfyqE3JJCgx6sq00tNaEA772ImjZmUH9OJOZ09OfnqzV4ODTkkaM QRTPl/gkt045f0FMjYiWwpXe5R3ZL1foEhU6aKRCnDQuteogjB55299i KaQ=
;; Received 229 bytes from 216.239.36.107#53(ns-cloud-b3.googledomains.com) in 78 ms

2 Likes

Using any of the root servers seems to work now.
I suspect that since the previous nameservers were from Cloudflare some residue remains lodged in some caches around the globe:

1 Like

I found GoDaddy to be more responsive when I had to replace my network box my IP changed but it is still a static pool. It took only seconds to propagate the change.