Hi guys,
I have faced the issue “Failed authorization procedure. DNS problem: query timed out looking up CAA”. I did look up in the forum & found some similar threads but they didn’t deliver the completed solutions.
My problem is when I were running: sudo letsencrypt --apache -d www.hqwealth.com.au -d hqwealth.com.au -d hqwealth.aces.dover.com.au
After a bit, it returned
Failed authorization procedure. www.hqwealth.com.au (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up CAA for www.hqwealth.com.au
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I did run that command for many sites connecting to our sub-sites & succeeded; then faced this issue with about 5 sites which have different domain’s providers.
Someones said that this issue is related to domain’s providers since they don’t response properly but there are not yet completed solutions to follow. Would you like to help me on this? Many thanks!
Your title and the start of your text suggest you have one issue, but the error text you reproduced is related to a quite different issue. Is it the case that you’ve tried to guess what is wrong, or do you have error text related to the problem mentioned in the title?
Hi @tialaramex, I have modified the log of errors as above, there are couple of failures related to other domains then I pasted the wrong case. The hqwealth.com.au above is the one of CAA. Thank you
I see. Unfortunately there is no easy answer for you with the CAA timeout. Your DNS server is responsible for correctly answering this type of query, if the server is some software you have purchased then you should ask the vendor for a fix or else consider replacing it. If your DNS is provided as a service by another supplier you would need to tell them it’s faulty, that it must be modified to correctly answer CAA queries, not doing so is forbidden. Hopefully the supplier can rectify the problem quickly, especially if they have other similar customers complaining about this.
@huuvan20 At this point, your best option is to switch from NetRegistry/EzyReg to a DNS provider that doesn’t take years to solve simple, critical standards compliance issues.
Your other option is to find a CA that is more lenient with CAA DNS errors. (Or more lucky with NetRegistry.)
You don’t have to change hosting companies, or domain registrars (unless they don’t allow you control over which DNS provider is used), just DNS providers.
@tialaramex@mnordhoff I’m trying to contact the DNS provider, the NetRegistry, to check if they could handle to fix the response time issue. Changing the DNS provider is also considered. Thank you much!