I only received this notice 11pm Mar 3rd, 2020. I’m trying my best to force renew my affected certs but I’m getting a DNS error?
An unexpected error occurred:
Error finalizing order :: While processing CAA for example.com: DNS problem: query timed out looking up CAA for example.com
My domain is correctly in DNS (has been all along) and I’m able to access it. SSL checkers can still validate the existing cert that was only renewed under 10 days ago. Is this problem from my end or at LetsEncrypt?
Please share us your domain name (and the hostnames)
There's no way any people can know what's going on unless you share us some information.
Thank you
Hi @belikewata,
Welcome to the community forum!
Can you please post your domain so we can better assist you?
hi affected is mailman.dot.asia
Hi @belikewata
checking that domain - mailman.asia - Make your website better - DNS, redirects, mixed content, certificates
| Host | T | IP-Address | is auth. | ∑ Queries | ∑ Timeout |
|---|---|---|---|---|---|
| mailman.asia | Name Error | yes | 1 | 0 | |
| www.mailman.asia | Name Error | yes | 1 | 0 |
Are you the domain owner?
Looks like the domain isn't registered.
It's mailman.dot.asia...
The dot is actually a name here.
Oh, thanks, didn't know!
believe you have the host wrong.
I have the the SSL cert on subdomain: mailman.dot.asia
Checking that domain - https://check-your-website.server-daten.de/?q=mailman.dot.asia
| X | Fatal error: Nameserver doesn’t support TCP connection: ns1.asia: Timeout |
|---|---|
| X | Fatal error: Nameserver doesn’t support TCP connection: ns1.asia / 52.72.246.207: Timeout |
| X | Fatal error: Nameserver doesn’t support TCP connection: ns2.asia: Timeout |
Your name servers are buggy.
But Unboundtest doesn’t report an error.
What’s the exact error message? (which domain name has a problem)
Perhaps try it again one time.
Just tried again.
I’m running (am I running it correctly?):
certbot certonly --force-renewal --staging --dry-run -d mailman.dot.asia
Getting this response:
An unexpected error occurred:
Error finalizing order :: While processing CAA for mailman.dot.asia: DNS problem: query timed out looking up CAA for mailman.dot.asia
Prior to today, I run using cerbot certonly --manual --staging --dry-run and didn’t have problems until today
It seems like your DNS server might have some issues.
You might need to try again after some time or contact your DNS hosting provider.
Thank you
Thanks I will try again later.
A quick test indicates that your domain is queriable from our servers. It might’ve been a temporary issue with your server. I’d give it another try soon.
I’m still getting the same results:
An unexpected error occurred:
Error finalizing order :: While processing CAA for mailman.dot.asia: DNS problem: query timed out looking up CAA for mailman.dot.asia
I’ve even updated DNS and added CAA records which digs correctly:
; <<>> DiG 9.8.3-P1 <<>> dot.asia type257
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16796
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;dot.asia. IN TYPE257
;; ANSWER SECTION:
dot.asia. 21599 IN TYPE257 # 22 000569737375656C657473656E63727970742E6F7267
dot.asia. 21599 IN TYPE257 # 18 000569737375657365637469676F2E636F6D
dot.asia. 21599 IN TYPE257 # 18 00056973737565676F64616464792E636F6D
(these are CAA whitelists for godaddy, letsencrypt, and sectigo as allowed CAs)
I’m at a lost.
It’s failing to look up mailman.dot.asia's CAA records, not dot.asia's. (That might also be failing, though; it only reports one error.)
I have no idea why it’s failing, though – it works for me and unboundtest.com.
hmmm… I read that CAA for root (dot.asia) domains will cascade down to subdomains (mailman.dot.asia) and we only need to set records for root.
That’s correct – but checking by the CA cascades up.
mailman.dot.asia can have CAA records. If it doesn’t, Let’s Encrypt will use dot.asia's CAA records (if it has any) (and the same with asia itself). But Let’s Encrypt has to be able to successfully do a CAA query for mailman.dot.asia in order to find out which it is.
oh I see. Thanks for the insight. I will add a CAA for mailman.dot.asia and try again.
To be clear:
There is no requirement that CAA records exist.
The requirement is that either they exist or the DNS servers properly determine that they don’t exist.
Adding records might not fix the problem, whatever it is.
You may use a temporary fix.
Current: mailman.dot.asia -> CNAME jerry.dot.asia
First step: Remove the CNAME, add an A-record
mailman.dot.asia -> ip of jerry.dot.asia
Second step: Add a CAA
mailman.dot.asia
Then try to create a certificate.