Error Generation certificate

Help
1

I am with this problem

Domain “webext.segplan.go.gov.br” challenge3 timed out after 15 seconds. Try regenerating your account once by going back and clicking “Regenerate Account” near the top center. If that does not work then please try a different verification method (HTTP if using DNS or vice versa) or try again later. Last response from “https://acme-v01.api.letsencrypt.org/acme/challenge/mlyrIyj4fxu7hKmwJbEyC6ZFOKm8Nbae6kIX_FLe-i0/3274038423” was { “type”: “dns-01”, “status”: “pending”, “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/mlyrIyj4fxu7hKmwJbEyC6ZFOKm8Nbae6kIX_FLe-i0/3274038423”, “token”: “4UWGeweH8DNvQOHlbZZqhF6-8jYRbt53hEfJJpfuBJ0”, “keyAuthorization”: “4UWGeweH8DNvQOHlbZZqhF6-8jYRbt53hEfJJpfuBJ0.ulpgSiczmOziRU5h1HMPWzga1xRStMt-onil3nBEb64” }

2

Since you created this under the "Server" topic instead of "Help", you didn't see the following questionnaire. I went ahead and moved it, but could you fill out the following to better assist us in helping you.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

3

My domain is webext.segplan.go.gov.br this error this certificate SAN 15 names but only name , but only this domain that is with errors ttl check
they are ok in 1 second already validated and it changes the validation key every time it sins to issue the certificate and displays another key only for this domain ous others are all ok

4

So, we see the error here:

"DNS problem: query timed out looking up CAA for webext.segplan.go.gov.br"

The DNS resolution chain eventually hits these nameservers;

lb.go.gov.br.           1800    IN      NS      lb-oi.go.gov.br.
lb.go.gov.br.           1800    IN      NS      lb-oi2.go.gov.br.
lb.go.gov.br.           1800    IN      NS      lb-ctbc.go.gov.br.

However they seem to not respond to any types of queries except A queries. Let's Encrypt needs to be able to issue a CAA query and get a successful response (even if empty).

Take note of the following from Let's Encrypt's page on CAA:

CAA validation follows CNAMEs, like all other DNS requests. If www.community.example.com is a CNAME to web1.example.net, the CA will first request CAA records for www.community.example.com, then seeing that there is a CNAME for that domain name instead of CAA records, will request CAA records for web1.example.net instead. Note that if a domain name has a CNAME record, it is not allowed to have any other records according to the DNS standards.

It is not possible to get an answer to a CAA query from the nameservers authoritative for sfb.lb.go.gov.br, which is the CNAME target of webext.segplan.go.gov.br:

https://unboundtest.com/m/CAA/sfb.lb.go.gov.br/AV6GRN7T

or you can try:

dig +trace sfb.lb.go.gov.br. caa
1 Like
5

É possível que o serviço da TI do governo estadual goiano usa algum servidor DNS com um comportamento indevido nesse caso. Se pode encontrar informações a respeito na seção “CAA errors” do documento

citado acima por @_az.

Acho que já traduzi aquele trecho para português caso precisar da tradução para discutir o assunto com alguém.

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.