"During secondary validation" error

My domain is:
sojer-last.com.futurecms.at
and
www.sojer-last.com.futurecms.at

I ran this command: Using PHP Client: GitHub - analogic/lescript: Simplified PHP ACME client

It produced this output:
During secondary validation: No valid IP addresses found for www.sojer-last.com.futurecms.at
and/or
During secondary validation: DNS problem: query timed out looking up CAA for futurecms.at

My web server is: Server version: Apache/2.4.46 (IUS)

The operating system my web server runs on is: CentOS Linux release 7.9.2009 (Core)

My hosting provider, if applicable, is: Futureweb OG (www.futureweb.at)

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: sort of, custom backend für LE Cert generation

The version of my client is: 0.2.6

Links: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10367509707 and https://acme-v02.api.letsencrypt.org/acme/authz-v3/10367509670

In the past weeks the lets encrypt error messages increased. If i try to renew the cert afterwards, it's working as expected. Seems like a timeout problem. There is always an ip address available, so the "no ip address found" error can't be correct. Do you have any current problems regarding the error messages written above?

Thx for your help.

Best regards,
Mathias

2 Likes

I don't know what the problem is exactly.
And it seems to be only intermittent - or is this problem consistent?
And I do have another question: Do you have the same problem with the shorter name?

www.sojer-last.com.futurecms.at | DNSViz
www.sojer-last.com | DNSViz

Name:    www.sojer-last.com
Address: 83.65.246.198

Name:    www.sojer-last.com.futurecms.at
Address: 83.65.246.198

sojer-last.com  nameserver = ns1.futureweb.at
sojer-last.com  nameserver = ns2.futureweb.at
sojer-last.com  nameserver = ns3.futureweb.at

futurecms.at    nameserver = ns1.futureweb.at
futurecms.at    nameserver = ns2.futureweb.at
futurecms.at    nameserver = ns3.futureweb.at
1 Like

What confuses me a little is this - Error: "During secondary validation: No valid IP addresses found for www.sojer-last.com.futurecms.at"
However, in the same request:

addressesResolved "83.65.246.198"
addressUsed "83.65.246.198"

So LE Server was able to resolve the IP address correctly?
(Second Validation Info: ACME v1/v2: Validating challenges from multiple network vantage points)

Could it be possible some of the LE Systems which are used for the second Validation got Problems reaching European Networks? Routing Probs? Something in this Direction? :thinking:

1 Like

Hi @futureweb

I had same problem for 4 days.

You may want to try DNS problem: query timed out looking up A - #15 by MrNovo this

In my situation problem was with ISP. They were bloking or redirecting something i'm not sure.

Hope it helps.

2 Likes

Hey @MrNovo,
as we are the ISP I would rule out this possibility with a 95% chance ... :wink:
Already roamed through DNS & Firewall Logs, also checked our Monitoring. No anomalies found on our Systems. Also 1 of our 3 DNS Servers is hosted outside of our Infrastructure to be sure DNS Resolution still works if there are Problems in our DC. (Hosted on MS Azure Cloud)
Also using this Setup for LE Certs many years now - and we noticed an increase of those Failure over the last few months ... so my guess would either be it's routing related or some kind of sporadically occuring performance issue on LE Servers and they only stand out because we protect thousands of domains with LE ... ? :thinking:

3 Likes

We still get errors, also from other domains:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/10380476299
https://acme-v02.api.letsencrypt.org/acme/authz-v3/10369991994

2 Likes

As for https://acme-v02.api.letsencrypt.org/acme/authz-v3/10368995957 --> Error: During secondary validation: No valid IP addresses found for www.jobs.rieseberg.at.kunden.ortsinfo.at --> Unbound: https://unboundtest.com/m/CAA/www.jobs.rieseberg.at.kunden.ortsinfo.at/7WWFV4QJ
(DNS Entry: *.at.kunden.ortsinfo.at. 360 IN A 83.65.246.198 - Wildcard - so there is always an IP)

Also https://acme-v02.api.letsencrypt.org/acme/authz-v3/10380476299 Error: During secondary validation: DNS problem: query timed out looking up CAA for kunden.ortsinfo.at --> Unbound: https://unboundtest.com/m/CAA/furtherwirt.kitzintensiv.at.kunden.ortsinfo.at/A77QSOSO

Happens about 2-10 times a day - with a few dozen/hundreds Cert renewals a Day
It's always working without problems a few Seconds later ...

Hence my assumption that the problem could be on the LE side. Maybe @cpu got a spare second or two and have a look LE Server-Side / Logs if there is a Problem? :thinking:

1 Like

Hi @futureweb

that's furtherwirt.kitzintensiv.at.kunden.ortsinfo.at a terrible long domain name.

6 CAA checks.

May be the name server thinks it's a DDOS.

Isn't it possible to create a CAA with "letsencrypt.org"? With at.kunden.ortsinfo.at? So not so much CAA checks are required.

4 Likes

Hey @JuergenAuer,

I checked DNS and Firewall Logs again - no blocking on our Side. Tested a few dozen CAA Queries of such Domains from outside of our Network.

Shortening CAA checks with CAA entries further down the path sounds like good idea - I'm going to implement that for our automated generated CMS Domains.

But maybe we should/could figure out what's the underlying problem is. Just to be sure LE Servers got no issue with such long sub-sub-sub-Domains? It happens pure randomly - out of the few dozen renews a day we get a few fails ... if I renew the same Domain a few Seconds/Minutes later - it works - so I would rule out some blocking on our side more or less ... :thinking:

1 Like

@futureweb Sorry, can't help that way anymore :slight_smile:

Good luck!

3 Likes

@cpu - aaahhhhh, darn, forgot you left LE! :frowning:
Hope you doing good! :wink:

thx, bb

4 Likes

Are you still having problems, @futureweb? There is an address we can use to notify people on the forum who do still work for Let's Encrypt.

3 Likes

And I also hope things are going great for @cpu these days!

4 Likes

@schoen - we implemented CAA Records further down the Path (ie. at.kunden.ortsinfo.at instead of ortsinfo.at) as @JuergenAuer suggested ( :+1: ), since then no more Errors were triggered.

But the Question remains if the Error was caused by some bottleneck on LE Side or something with our DNS Servers. (While I wasn't able to find a single Error/Problem with our DNS Servers nor any blockings in our Firewall), also was not able to reproduce any Error with Unboundtest ...

Error was only triggered by "second validation" ... :man_shrugging:

1 Like

That's normally a problem with one of the AWS hosted secondary servers (worldwide).

Sometimes some of these ip addresses are blacklisted.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.