Failed authorization procedure


#1

Hello,

I am trying to request a new cert for the domain below, however, I am getting a DNS error while authorizing. The server returns an error informing it was not possible to resolve a A record for the domain requested. The problem is that I am testing the response querying the A record from other DNS servers (ex. Google 8.8.8.8) and they are replying correctly. How can we fix this? Seems to be a DNS issue on Letsencrypt servers.

My domain is:
lalint.com.br

I ran this command:
2019-03-26 11:00:37,913:DEBUG:certbot.main:Arguments: [’–webroot’, ‘-w’, ‘/mnt/nfs/stores/static/34015/’, ‘-d’, ‘www.lalint.com.br,lalint.com.br’, ‘–email’, ‘suporte@dlojavirtual.com’, ‘–agree-tos’, ‘–no-eff-email’, ‘–manual-public-ip-logging-ok’, ‘–deploy-hook’, ‘/etc/letsencrypt/renewal-hooks/deploy/deploy.sh’, ‘–noninteractive’]

It produced this output:
FailedChallenges: Failed authorization procedure. www.lalint.com.br (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: SERVFAIL looking up A for www.lalint.com.br

My web server is (include version):
Apache 2.4

The operating system my web server runs on is (include version):
Centos 7

My hosting provider, if applicable, is:
NA

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.25.1


#2

Hi @afagund

there are some nameserver problems ( https://check-your-website.server-daten.de/?q=lalint.com.br ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
lalint.com.br A 177.70.11.161 yes 1 0
AAAA yes
www.lalint.com.br Server failure yes 3 0
C app.simplo7.net yes 3 0
C www.lalint.com.br yes 3 0
A 177.70.11.161 yes

www.lalint.com.br has a Server failure. But you want a certificate with the www-version, that can’t work.

And your nameservers have timeouts:

Domain Nameserver NS-IP
lalint.com.br
U ns1.dominios.uol.com.br / a1-zordon2
200.98.199.199

U  ns2.dominios.uol.com.br
200.221.65.6	

•  ns3.dominios.uol.com.br / ns3.dominios.uol.com.br
200.98.199.204	•

The “U” is bad:

X Fatal error: Nameserver isn’t defined or has timeout
X Fatal error: Nameserver doesn’t support TCP connection: ns1.alojasegura.com.br: Timeout
X Fatal error: Nameserver doesn’t support TCP connection: ns1.dominios.uol.com.br / 200.98.199.199: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 200.98.199.199:53
X Fatal error: Nameserver doesn’t support TCP connection: ns2.dominios.uol.com.br / 200.221.65.6: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 200.221.65.6:53
A Good: Nameserver supports Echo Capitalization: 3 good Nameserver
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns1.dominios.uol.com.br
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns2.dominios.uol.com.br
X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns3.dominios.uol.com.br

Is it possible that you create a A record with www.lalint.com.br instead of that CNAME with the (effective) same ip address?


#3

JuergenAuer, thanks! That helps!

I believe this is the issue. Have a look below. There is 2 CNAMEs for www.lalint.com.br.

set q=CNAME
www.lalint.com.br
Server: ns1.dominios.uol.com.br
Address: 200.98.199.199#53

www.lalint.com.br canonical name = app.simplo7.net.
www.lalint.com.br canonical name = www.lalint.com.br.


#4

Yep, that’s curious.

Remove these entries and add a simple

www.lalint.com.br - A - 177.70.11.161

record.