During secondary validation: DNS problem: query timed out

Hello.

I am trying to renew a certificate and it fails, telling me there are timeouts while querying DNS servers. However, I am testing the DNS servers from different locations and they reply as expected.

The domains are: school.ioffe.ru www.school.ioffe.ru

I ran this command: certbot certonly --manual

It produced this output:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: school.ioffe.ru
  Type:   dns
  Detail: During secondary validation: DNS problem: query timed out looking up A for school.ioffe.ru; DNS problem: query timed out looking up AAAA for school.ioffe.ru

  Domain: www.school.ioffe.ru
  Type:   dns
  Detail: During secondary validation: DNS problem: query timed out looking up A for www.school.ioffe.ru; DNS problem: query timed out looking up AAAA for www.school.ioffe.ru

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Some challenges have failed.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.0

Best regards,
Eugene

1 Like

How you are testing?

Because I consistently get a SERVFAIL or timeout querying your DNS from an AWS region in US East Coast.

The "secondary validation" error means the primary data center for Let's Encrypt was successful but one of its secondary sites failed. These are in different places around the world.

I don't know what to advise other than these problems are related to poorly performing or badly configured DNS servers. Perhaps another volunteer with more DNS knowledge will have suggestion.

dig +trace  school.ioffe.ru
;; Received 600 bytes from 2001:678:15:0:193:232:142:17#53(e.dns.ripn.net) in 139 ms
school.ioffe.ru.        604800  IN      NS      ns.ioffe.ru.
school.ioffe.ru.        604800  IN      NS      ns.school.ioffe.ru.
couldn't get address for 'ns.school.ioffe.ru': failure
;; Received 110 bytes from 194.85.32.18#53(ns.runnet.ru) in 131 ms
;; connection timed out; no servers could be reached

dig A school.ioffe.ru @ns.ioffe.ru
; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> A school.ioffe.ru @ns.ioffe.ru
;; global options: +cmd
;; connection timed out; no servers could be reached

dig A school.ioffe.ru @ns.school.ioffe.ru
dig: couldn't get address for 'ns.school.ioffe.ru': failure

nslookup  school.ioffe.ru
Server:         127.0.0.53
Address:        127.0.0.53#53
** server can't find school.ioffe.ru: SERVFAIL
5 Likes

Used dig utility from several hosts on Hetzner and some local providers. Also used services like check-host.net and letsdebug.net .

Thanks for testing, it sheds some light. I tried pinging and tracerouting some hosts on AWS from one of the DNS servers, and all the packets got lost somewhere upstream.

2 Likes

The Let's Encrypt secondary centers are all on AWS (currently).

4 Likes