Failed to request certificate

My domain is: t852.com

I ran this command: Request Certificate In domain bazaar.autos

It produced this output:
Requesting a certificate for bazaar.autos, www.bazaar.autos, autoconfig.bazaar.autos, autodiscover.bazaar.autos from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :
Traceback (most recent call last):
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 250, in
main(sys.argv[1:])
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 246, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 107, in get_crt
“agreement”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 63, in _send_signed_request
protected[“nonce”] = urlopen(CA + “/directory”).headers[‘Replay-Nonce’]
File “/usr/lib64/python2.7/urllib2.py”, line 154, in urlopen
return opener.open(url, data, timeout)
File “/usr/lib64/python2.7/urllib2.py”, line 431, in open
response = self._open(req, data)
File “/usr/lib64/python2.7/urllib2.py”, line 449, in _open
‘_open’, req)
File “/usr/lib64/python2.7/urllib2.py”, line 409, in _call_chain
result = func(*args)
File “/usr/lib64/python2.7/urllib2.py”, line 1258, in https_open
context=self._context, check_hostname=self._check_hostname)
File “/usr/lib64/python2.7/urllib2.py”, line 1214, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [Errno -2] Name or service not known>
DNS-based validation failed : Failed to request certificate :
Traceback (most recent call last):
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 250, in
main(sys.argv[1:])
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 246, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 107, in get_crt
“agreement”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 63, in _send_signed_request
protected[“nonce”] = urlopen(CA + “/directory”).headers[‘Replay-Nonce’]
File “/usr/lib64/python2.7/urllib2.py”, line 154, in urlopen
return opener.open(url, data, timeout)
File “/usr/lib64/python2.7/urllib2.py”, line 431, in open
response = self._open(req, data)
File “/usr/lib64/python2.7/urllib2.py”, line 449, in _open
‘_open’, req)
File “/usr/lib64/python2.7/urllib2.py”, line 409, in _call_chain
result = func(*args)
File “/usr/lib64/python2.7/urllib2.py”, line 1258, in https_open
context=self._context, check_hostname=self._check_hostname)
File “/usr/lib64/python2.7/urllib2.py”, line 1214, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [Errno -2] Name or service not known>

My web server and operating system
webmin/virtualmin on VPS server.
System Information
Operating system CentOS Linux 7.6.1810
Webmin version 1.900 Usermin version 1.751
Virtualmin version 6.06
Kernel and CPU Linux 3.10.0-957.10.1.el7.x86_64 on x86_64
Processor information Intel® Xeon® CPU E5-2620 v2 @ 2.10GHz,
6 cores
Real memory 3.03 GB used / 15.15 GB total
Local disk space 35.65 GB used / 259.50 GB free / 295.15 GB total

My hosting provider: Contabo

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): webmin/virtualmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I use, 15 months, webmin on VPS server.
All went fine, but I have problem the last 20 days with let’s encrypt.
I can’t install new ssl and stop renewed ssl my domains

Hi @vpanos,

Your server can’t connect to the Let’s Encrypt service. Is there some reason that outgoing connections from your server would be blocked or restricted, or that your server can’t perform DNS lookups?

1 Like

Thank you for answer.

Before 15 months I had setup server step by step and all working fine.

I have problem the last 20 days. After auto update software, in webmin, the webmin stop. I make Restart this and I install a new ssl but after this I can’t install ssl.

I check dns and I have 10 problem

t852.com Domain Health

BIND DNS Server

Name Server Records
In t852.com

Address Records
In t852.com

DNS Records
In domain t852.com

DNS Records
In domain bazaar.autos

In this case, I’m referring to DNS queries made by your server rather than about your server. Your server itself doesn’t seem to be able to make a DNS query to find the Let’s Encrypt service.

Can you help me I solve it?

Can you give me directions?

You could start by trying to run curl https://acme-v02.api.letsencrypt.org/directory and
curl https://example.com/ on your server and see if those commands can find those servers.

                                 % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:07 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:08 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:10 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:11 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:12 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:13 --:--:-- 0curl: (6) Could not resolve host: acme-v02.api.letsencrypt.org; Unknown error
[root@www ~]# curl https://example.com/
  % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 1270 100 1270 0 0 1148 0 0:00:01 0:00:01 --:--:-- 1149
<!doctype html>
<html>
<head>
<title>Example Domain</title>
<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<style type="text/css">
body {
background-color: #f0f0f2;
margin: 0;
padding: 0;
font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
}
div {
width: 600px;
margin: 5em auto;
padding: 50px;
background-color: #fff;
border-radius: 1em;
}
color: #38488f;
text-decoration: none;
}
@media (max-width: 700px) {
body {
background-color: #fff;
}
div {
width: auto;
margin: 0 auto;
border-radius: 0;
padding: 1em;
}
}
</style> </head>
<body>
<div>
<h1>Example Domain</h1>
<p>This domain is established to be used for illustrative examples in documents. You may use this
domain in examples without prior coordination or asking for permission.</p>
<p><a href="http://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>

Hmmm, that’s pretty strange, because your server can locate one site but not the other.

@cpu, do you have any idea what could cause this discrepancy? Is it something that we ought to investigate with Akamai?

@vpanos, is there any reason to believe that Contabo would block some connections here? Could you ask their support if they can think of a reason that this is happening?

Answer from Contabo

Contabo Support Team

The issue provided is related to the DNS settings. It seems to be the case that the key in the DNS zone is missing. Since you are not using our name server, you need to get in touch with the administrator of the nameserver:

ns1.t852.com

t852.com

Contabo Support Team

Unfortunately, we need to inform you that we cannot offer support for any self-created name servers, so we cannot tell why “ns2.t852.com” is not working anymore.

The error message however is the following one:

Primary Name Server Not Listed At Parent

I don’t think that you asked Contabo the right question, or else that they didn’t understand the question properly. The relevant question isn’t about the t852.com DNS zone, but about the ability of your Contabo-hosted server to perform DNS lookups.

My question was for ns2.t852.com

I ask now about the ability of my Contabo-hosted server to perform DNS lookups

Hi,

The server has command # dig but I can install everything. I have full access to the server.

I don’t, sorry. I’m afraid I’m out of office today and have no access to our CDN data/support anyway. You’ll have to tag an SRE team member.

Can you try dig acme-v02.api.letsencrypt.org and also cat /etc/resolv.conf?

[root@www ~]# dig acme-v02.api.letsencrypt.org


; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> acme-v02.api.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40439
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org.	IN	A
;; Query time: 518 msec
;; SERVER: 173.249.25.72#53(173.249.25.72)
;; WHEN: Fri May 03 19:02:31 CEST 2019
;; MSG SIZE rcvd: 57

[root@www ~]# cat /etc/resolv.conf

Generated by NetworkManager

search t852.com
nameserver 127.0.0.1
nameserver 173.249.25.72
nameserver 173.212.244.22

NOTE: the libc resolver may not support more than 3 nameservers.

The nameservers listed below may not be recognized.

nameserver 2a02:c207::1:53

Interesting, maybe try these?

dig acme-v02.api.letsencrypt.org @127.0.0.1
dig acme-v02.api.letsencrypt.org @173.249.25.72 
dig acme-v02.api.letsencrypt.org @173.212.244.22
dig acme-v02.api.letsencrypt.org @2a02:c207::1:53 
[root@www ~]# dig acme-v02.api.letsencrypt.org @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> acme-v02.api.letsencrypt.org @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28999
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org.	IN	A
;; Query time: 1537 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 03 22:07:36 CEST 2019
;; MSG SIZE rcvd: 57
[root@www ~]# dig acme-v02.api.letsencrypt.org @173.249.25.72

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> acme-v02.api.letsencrypt.org @173.249.25.72
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4522
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org.	IN	A
;; Query time: 33 msec
;; SERVER: 173.249.25.72#53(173.249.25.72)
;; WHEN: Fri May 03 22:08:13 CEST 2019
;; MSG SIZE rcvd: 57
[root@www ~]# dig acme-v02.api.letsencrypt.org @173.212.244.22

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> acme-v02.api.letsencrypt.org @173.212.244.22
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@www ~]# dig acme-v02.api.letsencrypt.org @2a02:c207::1:53

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> acme-v02.api.letsencrypt.org @2a02:c207::1:53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14880
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org.	IN	A
;; ANSWER SECTION:
acme-v02.api.letsencrypt.org. 4159 IN	CNAME	api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net. 4297 IN CNAME e14990.dscx.akamaiedge.net.
e14990.dscx.akamaiedge.net. 3	IN	A	104.108.57.230
;; Query time: 2 msec
;; SERVER: 2a02:c207::1:53#53(2a02:c207::1:53)
;; WHEN: Fri May 03 22:08:55 CEST 2019
;; MSG SIZE rcvd: 158

Thanks for trying that. It looks like some of the nameservers that Contabo is providing your server with may not be working properly. Could you show the output of these cat and dig commands to their support and ask them whether they see a problem here with their infrastructure or settings? (It looks to me like there probably is a problem on Contabo’s end.)

Thank you.

I will contact with Contabo support

Thank you again

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.