Error received: Error: DNS problem: query timed out looking up CAA


#1

Hi Team,

We are facing the below error while doing the domain validation using Let’s encrypt:

Error received:
Error: DNS problem: query timed out looking up CAA

The domain names are below

  1.  www.lbp-etps.com
    
  2.  www.lbpweaccess.com
    
  3.  www.lbpwepayaccess.com
    

Can you help us clarify how to address the issue.

Also, is it possible to setup a https redirect while making domain validation as http is blocked at customer end.

Regards,
Manisha Bajpai

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

My operating system is (include version):

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

The short answer is to correct your DNS issues.

Those domain names are not correctly resolving at the DNS servers that have been defined as your authoritative DNS servers. see http://dnsviz.net/d/www.lbp-etps.com/dnssec/ for errors


#3

Hi ,

I am getting these results below:

blr-mpe0b:~ mbajpai$ dig www.lbp-etps.com

; <<>> DiG 9.8.3-P1 <<>> www.lbp-etps.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60688
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.lbp-etps.com. IN A

;; ANSWER SECTION:
www.lbp-etps.com. 3600 IN CNAME www.wip.lbp-etps.com.
www.wip.lbp-etps.com. 30 IN A 58.71.22.9

This is what it’s getting resolved to.

Regards,
Manisha Bajpai


#4

It is a little more complex than a simple dig.

Dig just checks whatever your computers DNS server is (often your ISP ) for the records for a domain. This could be old or even spoofed, so Let’s Encrypt always refers back to what your domain name claims are it’s authoritative nameservers.

In your case if you do a “whois” of your domain you get

Name Server: ns6.landbank.com
Name Server: ns5.landbank.com
Name Server: ns7.landbank.com

If you try a dig specifically to those nameservers you will see some issues;

user@serverco:~$ dig -t TYPE257 www.lbpweaccess.com @ns7.landbank.com
dig: couldn’t get address for ‘ns7.landbank.com’: not found
user@serverco:~$ dig -t TYPE257 www.lbpweaccess.com @ns6.landbank.com
dig: couldn’t get address for ‘ns6.landbank.com’: not found

and the only one that does respond, says it is not authoritative and gives a SERVFAIL

user@serverco:~$ dig -t TYPE257 www.lbpweaccess.com @ns5.landbank.com

; <<>> DiG 9.10.4-P5-RedHat-9.10.4-3.P5.fc24 <<>> -t TYPE257 www.lbpweaccess.com @ns5.landbank.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21229
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.lbpweaccess.com.		IN	CAA

;; ANSWER SECTION:
www.lbpweaccess.com.	3356	IN	CNAME	www.wip.lbpweaccess.com.

;; Query time: 1297 msec
;; SERVER: 58.71.22.3#53(58.71.22.3)
;; WHEN: Thu Feb 02 09:55:08 GMT 2017
;; MSG SIZE  rcvd: 70

#5

Hi ,

Thanks for the information. Can I also get a reply of my second question which is setting up a redirect on https for domain validation as the customer has blocked http at their end.

Regards,
Manisha Bajpai


#6

There are three challenges you can use;

http-01 - this will always try and validate on port 80, but will follow redirects ( to https etc). You would need to be able to place the redirect on port 80 though - so may not work for you.

tls-01 - this tests on port 443, and needs to provide a specific signed certificate on that port.

dns-01 - this does not need access to your server, it needs a TXT token placed in your DNS records. If you have an API to your DNS, then this can be very easy, it is more complex if you need to manually update your DNS records every time though.


#7

Hello team

Please share more details on the below option.

tls-01 - this tests on port 443, and needs to provide a specific signed certificate on that port.

Queries:

  1. How will you share validation instructions on HTTPS?
  2. What setup will the customer have to do at their end to validate a domain via HTTPS?

#8

What depth of information do you want ?

At the top level, simply use a client like certbot and it will do it all for you.

At the detailed, programming, level it’s defined in the AMCE protocol

If you want specific instructions I’d suggest starting a new topic in help, and provide as much information as you can ( fill in the template form for domain name, host, operating system, if you are on a shared or dedicated server, if you use a control panel etc ) and we can provide specific instructions. Without that information it’s difficult to be specific to your requirements.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.