During secondary validation: DNS problem: query timed out looking up TXT

bcdiabetes · August 26, 2022, 8:25pm

My domains are:
aidica.ca, *.adica.ca

I ran this command:
certbot -d aidica.ca -d *.aidica.ca --manual --preferred-challenges dns certonly

It produced this output:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: aidica.ca
  Type:   dns
  Detail: DNS problem: query timed out looking up TXT for _acme-challenge.aidica.ca

  Domain: aidica.ca
  Type:   dns
  Detail: DNS problem: query timed out looking up TXT for _acme-challenge.aidica.ca

Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.29.0

===

I had these certificates for more than a year, and they renewed 7 times just fine until now. I have a set of scripts with hooks to automate the process, but thought that maybe something is wrong with my current certificate, so I deleted it with 'certbot delete' and tried to get a new one.

If I run the above command in --dry-run mode, all is good, and I am getting the certs. In fact, --dry-run was also working for renewal commands just fine.

In production mode, I only get one _acme_challenge instead of two, and if I remove one of the domain names, and try to get new certificates (i.e. only aidica.ca or only *.adica.ca) I get no _acme_challenge's and the process fails with the "timeout" error.

So, it looks like the server send one challenge less than the number of domain names requested, but works fine in dry-run mode.

petercooperjr · August 26, 2022, 9:16pm

When certbot does dry-run mode, it is always getting new challenges to try from Let's Encrypt. Whereas in production you may have some cached successful challenges from previous runs.

In any event, your DNS servers seem to be unreliable, only sometimes returning the result being asked for. The "during secondary validation" that you have in your title (but not in the error in your body) means that some of the points that Let's Encrypt checks from actually worked, but other locations didn't. And it seems that you can sometimes have it work, especially in the staging environment.

I took a look at your DNSViz report, and it reports several problems. I don't know as any or all of them are actually the cause of your problem, but it's more evidence that your DNS servers aren't configured properly.

https://dnsviz.net/d/aidica.ca/dnssec/

Errors (5)

aidica.ca zone: The server(s) were not responsive to queries over UDP. (35.203.57.53)

aidica.ca/A: The Authoritative Answer (AA) flag was not set in the response. (34.130.49.121, 35.203.12.76, 35.203.126.148, UDP_-_EDNS0_4096_D_KN)

aidica.ca/A: The UDP connection was refused (ECONNREFUSED). (35.203.57.53, UDP_-_EDNS0_4096_D_KN)

aidica.ca/MX: The Authoritative Answer (AA) flag was not set in the response. (34.130.49.121, 35.203.12.76, 35.203.126.148, UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN)

aidica.ca/TXT: The Authoritative Answer (AA) flag was not set in the response. (34.130.49.121, 35.203.12.76, 35.203.126.148, UDP_-_EDNS0_4096_D_KN)

Warnings (2)

ca to aidica.ca: The following NS name(s) were found in the delegation NS RRset (i.e., in the ca zone), but not in the authoritative NS RRset: ns1.bcdiabetes.ca, ns2.bcdiabetes.ca, ns3.bcdiabetes.ca

ca to aidica.ca: The glue address(es) for ns2.bcdiabetes.ca (35.203.57.53) differed from its authoritative address(es) (34.130.49.121).

Bruce5051 · August 26, 2022, 10:25pm

For DNS Records I find:

https://www.nslookup.io/domains/aidica.ca/dns-records/#authoritative

Bruce5051 · August 26, 2022, 10:37pm

And I find this:

$ nslookup -q=SOA
server ns1.bcdiabetes.ca
Default server: ns1.bcdiabetes.ca
Address: 35.203.126.148#53
aidica.ca
Server:         ns1.bcdiabetes.ca
Address:        35.203.126.148#53

aidica.ca
        origin = ns1.bcdiabetes.ca
        mail addr = support.bcdiabetes.ca
        serial = 2021051001
        refresh = 1200
        retry = 180
        expire = 1209600
        minimum = 3600
exit

$ nslookup -q=NS
server ns1.bcdiabetes.ca
Default server: ns1.bcdiabetes.ca
Address: 35.203.126.148#53
 aidica.ca
Server:         ns1.bcdiabetes.ca
Address:        35.203.126.148#53

*** Can't find aidica.ca: No answer
exit

But ICANN Lookup shows:
Name: aidica.ca
Internationalized Domain Name: aidica.ca
Registry Domain ID: 88087873-CIRA
Domain Status:
active
Nameservers:
ns1.bcdiabetes.ca
ns2.bcdiabetes.ca
ns3.bcdiabetes.ca

So Can't find aidica.ca: No answer, seem like a DNS Server configuration issue.

$ nslookup -q=TXT
server ns1.bcdiabetes.ca
Default server: ns1.bcdiabetes.ca
Address: 35.203.126.148#53
aidica.ca
Server:         ns1.bcdiabetes.ca
Address:        35.203.126.148#53

Non-authoritative answer:
aidica.ca       text = "v=spf1 include:mailgun.org ~all"

Authoritative answers can be found from:
exit

bcdiabetes · August 27, 2022, 6:27am

Very helpful, thank you! I made changes to my DNS settings and contacted my registrar for some more. Will be able to test again after the changes propagate.

system · September 26, 2022, 6:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.