Failed authorization procedure. DNS problem: query timed out looking up CAA


#1

I am trying to install ssl on a domain hosted on a VPS with CLOUDLINUX 6.8 x86_64.

While installing, I am getting following error message. I have tried several times without any success.

Failed authorization procedure. www[dot]boxingglovesonline.com.au (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up CAA for www[dot]boxingglovesonline.com.au, boxingglovesonline.com.au (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up CAA for boxingglovesonline.com.au

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: www[dot]boxingglovesonline.com.au
Type: connection
Detail: DNS problem: query timed out looking up CAA for
www[dot]boxingglovesonline.com.au

Domain: boxingglovesonline.com.au
Type: connection
Detail: DNS problem: query timed out looking up CAA for
boxingglovesonline.com.au

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My DNS however looks good.

Sorry as I had to use www[dot], as I am not allowed to post more than 2 links!


#2

Your name server seems to time out for CAA requests:

➜  ~ dig @ns3.acslegal.com.au -t TYPE257 boxingglovesonline.com.au

; <<>> DiG 9.8.3-P1 <<>> @ns3.acslegal.com.au -t TYPE257 boxingglovesonline.com.au
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

CAA is a fairly new DNS record type, so your DNS server probably has some trouble with that. You don’t need to have a CAA record in order to use Let’s Encrypt, but your DNS server would at least have to give some kind of reply.


#3

Thanks for this information. ns3 and ns4.acslegal.com.au was there to just put as my root dns in cpanel. I am using custom dns. Looks like I will have to edit NS records.


#4

Yep, Let’s Encrypt is going to use your public name servers. The validation is performed from Let’s Encrypt’s servers, not from within the client running on your device (that would present a huge vulnerability).


#5

I am still having this same error after updating DNS.
dig @ns3.boxingglovesonline.com.au boxingglovesonline.com.au returns no error, when I test from another server.
Any help will be appreciable.


#6

It looks as if you are running an old version of bind (9.8.2 ) which reached End-of-Life (EOL) in Sep 2014 - worth upgrading I think.


#7

It does seem indeed that both NS are pointing to the very same box running 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 BIND version. If I’m not mistaken, the support for CAA records was added in 10.1-2.

P.S. On a side note - it is usually not a good idea to have effectively just one name server (especially pointing to the same machine as where websites are). I would recommend using some free DNS hosting instead. Additionally, you may need to fix the SOA record - it quotes managedvps@tppwholesale.com.au, which appears to be undeliverable (at least from some test locations).


#8

Thanks for all the suggestions. I am proceeding with them.


#9

Looks like BIND 10 is not supported on WHM/cPanel as of yet!
Is not having BIND 10 the reason of my error? Asking because, I can see from cpanel forum that lots of people were able to successfully generate the cert!


#10

I don’t think you need to go as far as BIND 10 … the current stable is 9.9 - and works fine ( I just checked on one of my cpanel servers. 9.8 is EOL though.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.