"During secondary validation: No valid IP addresses found" validation error

Hi,
since a few days, certificate renewals fail with a "During secondary validation: No valid IP addresses found" error. This used to work without issue, and there have been no changes to DNS.

The domain in question is www.heinbockel.info (and heinbockel.info)

I'm using the http-01 challenge via dehydrated:

../dehydrated/dehydrated --cron --alias heinbockel.info \
    --domain heinbockel.info --domain www.heinbockel.info  \
    --challenge http-01

This is the full output:

# INFO: Using main config file dehydrated.conf
Processing heinbockel.info with alternative names: www.heinbockel.info 
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Apr  6 01:00:47 2021 GMT (Less than 31 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for www.heinbockel.info
 + Handling authorization for heinbockel.info
 + 2 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for www.heinbockel.info authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"http-01"
["status"]	"invalid"
["error","type"]	"urn:ietf:params:acme:error:dns"
["error","detail"]	"During secondary validation: No valid IP addresses found for www.heinbockel.info"
["error","status"]	400
["error"]	{"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: No valid IP addresses found for www.heinbockel.info","status":400}
["url"]	"https://acme-v02.api.letsencrypt.org/acme/chall-v3/11381604758/BF7dWA"
["token"]	"9GovvxBxtH8FibN_gfEJrU1d2a2zb3dvFLMuU9iCOSc"
["validationRecord",0,"url"]	"http://www.heinbockel.info/.well-known/acme-challenge/9GovvxBxtH8FibN_gfEJrU1d2a2zb3dvFLMuU9iCOSc"
["validationRecord",0,"hostname"]	"www.heinbockel.info"
["validationRecord",0,"port"]	"80"
["validationRecord",0,"addressesResolved",0]	"194.55.14.91"
["validationRecord",0,"addressesResolved"]	["194.55.14.91"]
["validationRecord",0,"addressUsed"]	"194.55.14.91"
["validationRecord",0]	{"url":"http://www.heinbockel.info/.well-known/acme-challenge/9GovvxBxtH8FibN_gfEJrU1d2a2zb3dvFLMuU9iCOSc","hostname":"www.heinbockel.info","port":"80","addressesResolved":["194.55.14.91"],"addressUsed":"194.55.14.91"}
["validationRecord"]	[{"url":"http://www.heinbockel.info/.well-known/acme-challenge/9GovvxBxtH8FibN_gfEJrU1d2a2zb3dvFLMuU9iCOSc","hostname":"www.heinbockel.info","port":"80","addressesResolved":["194.55.14.91"],"addressUsed":"194.55.14.91"}])
An error occured!

My web server is (include version): apache 2.4.38-3+deb10u4

The operating system my web server runs on is (include version): debian buster

I can login to a root shell on my machine: yes

The version of my client is: latest

DNS records look good to me:

www.heinbockel.info:

$ dig www.heinbockel.info

; <<>> DiG 9.11.27-RedHat-9.11.27-1.fc33 <<>> www.heinbockel.info
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62215
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.heinbockel.info.		IN	A

;; ANSWER SECTION:
www.heinbockel.info.	60	IN	CNAME	vserver.heinbockel.info.
vserver.heinbockel.info. 59	IN	A	194.55.14.91

heinbockel.info:

$ dig heinbockel.info

; <<>> DiG 9.11.27-RedHat-9.11.27-1.fc33 <<>> heinbockel.info
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46823
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;heinbockel.info.		IN	A

;; ANSWER SECTION:
heinbockel.info.	60	IN	A	194.55.14.91

;; Query time: 166 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: So Mär 07 17:26:57 CET 2021
;; MSG SIZE  rcvd: 60

The issue has begun popping up on other domains & servers too:

# INFO: Using main config file dehydrated.conf
Processing mattermost.netz.lt
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for mattermost.netz.lt
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for mattermost.netz.lt authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed 
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"http-01"
["status"]	"invalid"
["error","type"]	"urn:ietf:params:acme:error:dns"
["error","detail"]	"During secondary validation: DNS problem: query timed out looking up CAA for mattermost.netz.lt"
["error","status"]	400
["error"]	{"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: DNS problem: query timed out looking up CAA for mattermost.netz.lt","status":400}
["url"]	"https://acme-v02.api.letsencrypt.org/acme/chall-v3/11469645477/m20_sg"
["token"]	"h6j-24KXIcrudRowG5LtGeN97rw4kv3DiHmlRKrP9I4"
["validationRecord",0,"url"]	"http://mattermost.netz.lt/.well-known/acme-challenge/h6j-24KXIcrudRowG5LtGeN97rw4kv3DiHmlRKrP9I4"
["validationRecord",0,"hostname"]	"mattermost.netz.lt"
["validationRecord",0,"port"]	"80"
["validationRecord",0,"addressesResolved",0]	"45.9.60.98"
["validationRecord",0,"addressesResolved",1]	"2a03:4000:45:232::1"
["validationRecord",0,"addressesResolved"]	["45.9.60.98","2a03:4000:45:232::1"]
["validationRecord",0,"addressUsed"]	"2a03:4000:45:232::1"
["validationRecord",0]	{"url":"http://mattermost.netz.lt/.well-known/acme-challenge/h6j-24KXIcrudRowG5LtGeN97rw4kv3DiHmlRKrP9I4","hostname":"mattermost.netz.lt","port":"80","addressesResolved":["45.9.60.98","2a03:4000:45:232::1"],"addressUsed":"2a03:4000:45:232::1"}
["validationRecord"]	[{"url":"http://mattermost.netz.lt/.well-known/acme-challenge/h6j-24KXIcrudRowG5LtGeN97rw4kv3DiHmlRKrP9I4","hostname":"mattermost.netz.lt","port":"80","addressesResolved":["45.9.60.98","2a03:4000:45:232::1"],"addressUsed":"2a03:4000:45:232::1"}])
An error occured!

Here, it also occurs with dns-01 validation:

# INFO: Using main config file dehydrated.conf
# INFO: Running ../dehydrated/dehydrated as asterisk
# INFO: Using main config file dehydrated.conf
Processing asterisk.kiel.sembritzki.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Apr 10 01:00:14 2021 GMT (Less than 31 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for asterisk.kiel.sembritzki.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for asterisk.kiel.sembritzki.org authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed 
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"dns-01"
["status"]	"invalid"
["error","type"]	"urn:ietf:params:acme:error:dns"
["error","detail"]	"During secondary validation: DNS problem: query timed out looking up CAA for asterisk.kiel.sembritzki.org"
["error","status"]	400
["error"]	{"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: DNS problem: query timed out looking up CAA for asterisk.kiel.sembritzki.org","status":400}
["url"]	"https://acme-v02.api.letsencrypt.org/acme/chall-v3/11469645306/_h1GsQ"
["token"]	"K-4Phc29j7oG7FkDI80t-i266hODTit_iE9A3MLtnNU"
["validationRecord",0,"hostname"]	"asterisk.kiel.sembritzki.org"
["validationRecord",0]	{"hostname":"asterisk.kiel.sembritzki.org"}
["validationRecord"]	[{"hostname":"asterisk.kiel.sembritzki.org"}])
An error occured!

one more:

# INFO: Using main config file dehydrated.conf
Processing nextcloud.heinbockel.info
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Apr  6 01:01:02 2021 GMT (Less than 31 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for nextcloud.heinbockel.info
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for nextcloud.heinbockel.info authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed 
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"http-01"
["status"]	"invalid"
["error","type"]	"urn:ietf:params:acme:error:dns"
["error","detail"]	"During secondary validation: DNS problem: query timed out looking up A for nextcloud.heinbockel.info"
["error","status"]	400
["error"]	{"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: DNS problem: query timed out looking up A for nextcloud.heinbockel.info","status":400}
["url"]	"https://acme-v02.api.letsencrypt.org/acme/chall-v3/11469649172/FnP2Yg"
["token"]	"42i6CDgROMUzOigygiTGcH5dHbb4ZMghfH2n4mV0MZ8"
["validationRecord",0,"url"]	"http://nextcloud.heinbockel.info/.well-known/acme-challenge/42i6CDgROMUzOigygiTGcH5dHbb4ZMghfH2n4mV0MZ8"
["validationRecord",0,"hostname"]	"nextcloud.heinbockel.info"
["validationRecord",0,"port"]	"80"
["validationRecord",0,"addressesResolved",0]	"194.55.14.91"
["validationRecord",0,"addressesResolved"]	["194.55.14.91"]
["validationRecord",0,"addressUsed"]	"194.55.14.91"
["validationRecord",0]	{"url":"http://nextcloud.heinbockel.info/.well-known/acme-challenge/42i6CDgROMUzOigygiTGcH5dHbb4ZMghfH2n4mV0MZ8","hostname":"nextcloud.heinbockel.info","port":"80","addressesResolved":["194.55.14.91"],"addressUsed":"194.55.14.91"}
["validationRecord"]	[{"url":"http://nextcloud.heinbockel.info/.well-known/acme-challenge/42i6CDgROMUzOigygiTGcH5dHbb4ZMghfH2n4mV0MZ8","hostname":"nextcloud.heinbockel.info","port":"80","addressesResolved":["194.55.14.91"],"addressUsed":"194.55.14.91"}])
An error occured!

These are errors from three different servers. All these domains have been in use and renewed for many times, without any issues. There were no recent changes.

I saw you pinged me in the other thread. At first I thought there was a chance that they were related issues, but now I don't think they are. I've done a little looking into your issue but didn't see anything yet. What the error "During secondary validation: DNS problem: query timed out" means is that while some of Let's Encrypt's servers (the "primary validation") can reach your DNS servers, they check from multiple vantage points on the Internet (the "secondary validation"), and some of them aren't getting a response from your DNS server. Usually, this means that there's some firewall blocking requests somewhere (possibly upstream from you, like run by your ISP) since they're not expecting worldwide requests for DNS from the IP space of the cloud provider Let's Encrypt uses (which I believe is AWS).

I do want to raise a possibility, though it's probably not the issue: AWS recently started enforcing RPKI, so if your DNS servers are in IP space which isn't being properly announced through BGP then you might see something like this happen, and it might explain why you haven't had problems until recently. I'm stretching a bit, though, since usually ISPs are really on top of that sort of thing. There's probably some online tool or something to check this but I'm not aware enough about it to know how to validate whether this might be part of your issue.

I also want to apologize on behalf of the community (assuming I have the authority to do that) for you not getting much of an answer to your initial post; the support on this forum is entirely volunteer-based (We're all just random strangers on the Internet who occasionally like to help people), so if there's a trickier situation like yours it might take some time for people to dig in and help. Like I said, I've looked into it a little bit, but I have to get to work and can't really take the time to dig in further right now. So I'm sorry I can't assist you further at the moment, but I'm hoping someone else here will be able to take the reins and help you dig into what's really happening here.

This might help:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.