During secondary validation: DNS problem: query timed out looking up A

My domain is: http://stage1.businesstagebuch.de/

I followed the guide: https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx

Before I ran that command, I stopped Nginx

I ran this command: sudo certbot certonly --standalone

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for stage1.businesstagebuch.de
Waiting for verification...
Challenge failed for domain stage1.businesstagebuch.de
http-01 challenge for stage1.businesstagebuch.de
Cleaning up challenges
Some challenges have failed.

In the log /var/log/letsencrypt/letsencrypt.log I see:

2020-04-30 18:54:32,139:WARNING:certbot.auth_handler:Challenge failed for domain stage1.businesstagebuch.de
2020-04-30 18:54:32,140:INFO:certbot.auth_handler:http-01 challenge for stage1.businesstagebuch.de
2020-04-30 18:54:32,141:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: stage1.businesstagebuch.de
Type:   dns
Detail: During secondary validation: DNS problem: query timed out looking up A for stage1.businesstagebuch.de
2020-04-30 18:54:32,142:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2020-04-30 18:54:32,142:DEBUG:certbot.error_handler:Calling registered functions
2020-04-30 18:54:32,142:INFO:certbot.auth_handler:Cleaning up challenges
2020-04-30 18:54:32,144:DEBUG:certbot.plugins.standalone:Stopping server at :::80...
2020-04-30 18:54:32,165:DEBUG:certbot.log:Exiting abnormally:

My web server is (include version): nginx version: nginx/1.17.10 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.0

Same problem here.
Is the first time I get that problem. Dns are working correctly after check it here dnschecker.org .

I’m having same issue.

https://letsdebug.net/ says this is likely tied to the planned maintenance window that is currently in place.

Hi @MBurchard

is the key.

Read

So the primary Letsencrypt server is able to find your A-record. Some of the secondary servers are blocked.

Firewall, .htaccess, failban or something else that blocks.

PS:

No, that's not that error.

Thank you for explanation, but I have not blocked anything.
There is no Firewall, no failban and no .htaccess at all...
It's just a very fresh Ubuntu 20.04 installation

Before check the forum more user are having the same issue.

Yup. Seems to be happening all of a sudden to a lot of people, myself included.

Please read the error. It's not possible to find an A-record.

So your dns server may have a firewall, not your local webserver.

The problem was fixed for me right now

I am having the same issue. I use LetsEncrypt constantly. Just used it yesterday, but now all of a sudden I’m getting this error. No firewall.

Before telling someone they're wrong, perhaps you should test yourself? The OP was getting the exact error I was. I pursued it through LetsDebug and it came up with the Planned Maintenance message. The Planned Maintenance has ended, and suddenly everything is working again for me.

So, as much as you're sure of yourself, this time, my friend, YOU are the incorrect one.

Fixed for me now as well!

Was having the same problem for the last hour.

Many other people were too.

It’s working now, thankfully.

@JuergenAuer Everyone appreciates your support. However, please don’t always respond with the canned responses when it’s clear strange things are afoot at the Circle-K

Status page updated to reflect problem (was not posted earlier when forum questions started coming in).

https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/5eab162e65b1d004bffe38a1

Hi all,

April 30, 2020 18:17 UTC

[Monitoring] We observed elevated validation failures, which affected certificate issuance, from approximately 16:00-18:05 UTC. We believe we’ve resolved the underlying issue, and are continuing to investigate and monitor.

From: https://letsencrypt.status.io/

Please let us know if it is resolving for you now!

Best,
JP

It works again… Thank you…

we have the problem since today morining…

cause 1: secondary error
During secondary validation: DNS problem: query timed out looking up TXT
During secondary validation: DNS problem: query timed out looking up CAA

cause 2: now also on the primary lookup

we didn’t change anything and i did a dig from internet , the CAA/TXT entries are valid and available.

I have the same problem since yesterday:

I also get the “DNS problem: query timed out looking up TXT for _acme-challenge.aaaaaa.niyawe.de” error.

My hosting provider is also Hetzner.

Interestingly I can see, that the nameserver answers correctly (See acme-challenge.pcapng (108.2 KB) ).

Letsencrypt uses the Amazon Cloud (AWS) for secondary validation. If you mass block AWS IPs in your firewall for some reason (there’s a long list of good reasons) then unblock all AWS IPs to test if this is your problem.

I’m not blocking any IPs. The thing is, that I did not change anything, between the last successful renew a few days ago and the first fail yesterday.