Freemyip.com - DNS problem: query timed out looking up CAA for name1.name2.freemyip.com

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: name1.name2.freemyip.com

I ran this command:

/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

It produced this output:

# ./install-letsencrypt-cert.sh^C
root@meet:/usr/share/jitsi-meet/scripts# /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh 
-------------------------------------------------------------------------
This script will:
- Need a working DNS record pointing to this machine(for hostname )
- Install additional dependencies in order to request Let’s Encrypt certificate (acme.sh)
- Configure and reload nginx or apache2, whichever is used
- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks
- Configure renew of certificate

You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) 
by providing an email address for important account notifications
Enter your email and press [ENTER]: 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1032    0  1032    0     0   6165      0 --:--:-- --:--:-- --:--:--  6179
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  220k  100  220k    0     0  1724k      0 --:--:-- --:--:-- --:--:-- 1737k
[Sat Oct 26 08:14:25 PM CEST 2024] Installing from online archive.
[Sat Oct 26 08:14:25 PM CEST 2024] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sat Oct 26 08:14:26 PM CEST 2024] Extracting master.tar.gz
./acme.sh: 7869: shift: can't shift that many
[Sat Oct 26 08:14:27 PM CEST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat Oct 26 08:14:27 PM CEST 2024] Single domain='name1.name2.freemyip.com'
[Sat Oct 26 08:14:29 PM CEST 2024] Getting webroot for domain='name1.name2.freemyip.com'
[Sat Oct 26 08:14:30 PM CEST 2024] Verifying: name1.name2.freemyip.com
[Sat Oct 26 08:14:30 PM CEST 2024] Pending. The CA is processing your order, please wait. (1/30)
[Sat Oct 26 08:14:34 PM CEST 2024] Pending. The CA is processing your order, please wait. (2/30)
[Sat Oct 26 08:14:38 PM CEST 2024] Pending. The CA is processing your order, please wait. (3/30)
[Sat Oct 26 08:14:41 PM CEST 2024] Pending. The CA is processing your order, please wait. (4/30)
[Sat Oct 26 08:14:45 PM CEST 2024] Pending. The CA is processing your order, please wait. (5/30)
[Sat Oct 26 08:14:49 PM CEST 2024] Pending. The CA is processing your order, please wait. (6/30)
[Sat Oct 26 08:14:52 PM CEST 2024] name1.name2.freemyip.com: Invalid status. Verification error details: DNS problem: SERVFAIL looking up CAA for name1.name2.freemyip.com - the domain's nameservers may be malfunctioning
[Sat Oct 26 08:14:52 PM CEST 2024] Please add '--debug' or '--log' to see more information.
[Sat Oct 26 08:14:52 PM CEST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Issuing the certificate from Let's Encrypt failed, continuing ...
You can retry later by executing:
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

My web server is (include version):

nginx 1.24.0-2ubuntu7.1

The operating system my web server runs on is (include version):

Ubuntu 24.04.1

My hosting provider, if applicable, is:

ionos

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.9.0

Yes I changed the FQDN for name1.name2.freemyip.com

the DNS is working got it resolved

2

Why?
That just makes debugging harder.

Also change name servers if possible

4 Likes
3

Is name1.name2.freemyip.com the real name of the hostname you're trying to get a certificate for?

1 Like
4

The real domain is: meet.ukabel.freemyip.com

6 
root@meet:/usr/share/jitsi-meet/scripts# ./install-letsencrypt-cert.sh 
-------------------------------------------------------------------------
This script will:
- Need a working DNS record pointing to this machine(for hostname )
- Install additional dependencies in order to request Let’s Encrypt certificate (acme.sh)
- Configure and reload nginx or apache2, whichever is used
- Configure the coturn server to use Let's Encrypt certificate and add required deploy hooks
- Configure renew of certificate

You need to agree to the ACME server's Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) 
by providing an email address for important account notifications
Enter your email and press [ENTER]: 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1032    0  1032    0     0   2538      0 --:--:-- --:--:-- --:--:--  2535
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  220k  100  220k    0     0   790k      0 --:--:-- --:--:-- --:--:--  791k
[Sat Oct 26 09:14:55 PM CEST 2024] Installing from online archive.
[Sat Oct 26 09:14:55 PM CEST 2024] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Sat Oct 26 09:14:56 PM CEST 2024] Extracting master.tar.gz
./acme.sh: 7869: shift: can't shift that many
[Sat Oct 26 09:14:57 PM CEST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat Oct 26 09:14:57 PM CEST 2024] Single domain='meet.ukabel.freemyip.com'
[Sat Oct 26 09:14:59 PM CEST 2024] Getting webroot for domain='meet.ukabel.freemyip.com'
[Sat Oct 26 09:14:59 PM CEST 2024] Verifying: meet.ukabel.freemyip.com
[Sat Oct 26 09:15:00 PM CEST 2024] Pending. The CA is processing your order, please wait. (1/30)
[Sat Oct 26 09:15:04 PM CEST 2024] Pending. The CA is processing your order, please wait. (2/30)
[Sat Oct 26 09:15:07 PM CEST 2024] Pending. The CA is processing your order, please wait. (3/30)
[Sat Oct 26 09:15:13 PM CEST 2024] Pending. The CA is processing your order, please wait. (4/30)
[Sat Oct 26 09:15:16 PM CEST 2024] Pending. The CA is processing your order, please wait. (5/30)
[Sat Oct 26 09:15:20 PM CEST 2024] Pending. The CA is processing your order, please wait. (6/30)
[Sat Oct 26 09:15:24 PM CEST 2024] Pending. The CA is processing your order, please wait. (7/30)
[Sat Oct 26 09:15:27 PM CEST 2024] Pending. The CA is processing your order, please wait. (8/30)
[Sat Oct 26 09:15:31 PM CEST 2024] Pending. The CA is processing your order, please wait. (9/30)
[Sat Oct 26 09:15:35 PM CEST 2024] Pending. The CA is processing your order, please wait. (10/30)
[Sat Oct 26 09:15:38 PM CEST 2024] Pending. The CA is processing your order, please wait. (11/30)
[Sat Oct 26 09:15:42 PM CEST 2024] Pending. The CA is processing your order, please wait. (12/30)
[Sat Oct 26 09:15:46 PM CEST 2024] Pending. The CA is processing your order, please wait. (13/30)
[Sat Oct 26 09:15:49 PM CEST 2024] Pending. The CA is processing your order, please wait. (14/30)
[Sat Oct 26 09:15:53 PM CEST 2024] Pending. The CA is processing your order, please wait. (15/30)
[Sat Oct 26 09:15:57 PM CEST 2024] Pending. The CA is processing your order, please wait. (16/30)
[Sat Oct 26 09:16:00 PM CEST 2024] meet.ukabel.freemyip.com: Invalid status. Verification error details: DNS problem: query timed out looking up CAA for meet.ukabel.freemyip.com
[Sat Oct 26 09:16:00 PM CEST 2024] Please add '--debug' or '--log' to see more information.
[Sat Oct 26 09:16:00 PM CEST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Issuing the certificate from Let's Encrypt failed, continuing ...
You can retry later by executing:
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
7

This is most likely some kind of DDoS protection or rate-limiting happening at your DNS provider. Let's Encrypt will send many DNS queries at the same time and some DNS providers slow or block such requests to not overload their system. Mind you, large (or fast) DNS providers don't have this problem.

The CAA queries by Let's Encrypt are especially vulnerable to such DNS server limitations. It must do this lookup to ensure you have not blocked issuance with a CAA record.

Other than using a different DNS provider, one possibility is to add a CAA record for meet.ukabel.freemyip.com which allows Let's Encrypt to issue. During CAA queries LE will see this record "first" and does not need to look further. This may avoid your DNS provider's limitation (if that is what is causing this problem).

See this for format of CAA record

4 Likes
8

Hi. Author of FreeMyIP here. Thanks for pointing this out. I was scratching my head as to why a few people wrote to me about this issue. This indeed looks to be one of my DoS protections misinterpreting this legitimate traffic as an attack. I will work on adjusting the timing of defences to make sure everybody can use the service without any issues. In the meantime, do you know if there is a specific pool of IP addresses that I can whitelist for now as a temporary fix?
Thanks.

4 Likes
9

Nope!

What IP addresses does Let’s Encrypt use to validate my web server?
Let’s Encrypt does not publish a list of IP addresses we use to validate,
and these IP addresses may change at any time.

6 Likes
10

The problem with FreeMyIP is now fixed. I had to increase the limits in BIND's rate-limit {} to make it work. I assume something changed on the Let's Encrypt side recently, but I guess we will never really know.

Thanks to everybody who reported and helped to solve this!

2 Likes
11

The location and number of LE auth data centers changed in March this year. It is possible, even likely, these will change going forward.

There was also an EDNS buffer size change recently

You might subscribe to the API Announcements section of this forum. That should keep you informed of structural changes.

4 Likes
12

Did a retry to run: /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

now it worked

thanks

3 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.