[hubble:root]:(~)# getssl -a
Check all certificates
Registering account
Verify each domain
Verifying stokkie.net
copying challenge token to /home/klant/crashrecovery/www/.well-known/acme-challenge/9YTBUA4DoCuE8pl9MmNr6xYMp5Pp6cxiC3X1xOYbZAM
sending request to ACME server saying we're ready for challenge
checking if challenge is complete
Pending
checking if challenge is complete
Pending
checking if challenge is complete
Pending
checking if challenge is complete
Pending
checking if challenge is complete
Pending
checking if challenge is complete
getssl: stokkie.net:Verify error: "detail": "DNS problem: query timed out looking up A for stokkie.net; DNS problem: query timed out looking up AAAA for stokkie.net",
[hubble:root]:(~)#
Maybe the firewall of ns2, only has udp 53 enabled and not tcp 53
will check tomorrow. Is letsencrypt/ACME requiring tcp 53 access to
your nameservers ?
I think that if the response is small enough it can use UDP, but many requests end up going over TCP. You might want to check out RFC 7766, which tries to make the case that "support for TCP is henceforth a REQUIRED part of a full DNS protocol implementation."
Even with that issue, though, in theory it should be able to get a response from the other DNS server, so there may be something else going on as well. Do either of your DNS servers have some sort of firewall that's trying to be "smart" and might be blocking the traffic? Let's Encrypt checks your system from multiple vantage points at once, which some firewalls interpret as an "attack" since it's several places at once all requesting the same thing. Or there might be a geographic or IP blocklist that's blocking the traffic.
$ nslookup
> server ns1.stokkie.net
Default server: ns1.stokkie.net
Address: 84.87.53.162#53
> stokkie.net
;; connection timed out; no servers could be reached
> set q=soa
> stokkie.net
;; connection timed out; no servers could be reached
> exit
$ nslookup
> server ns2.stokkie.net
Default server: ns2.stokkie.net
Address: 92.67.169.193#53
> stokkie.net
;; connection timed out; no servers could be reached
> set q=soa
> stokkie.net
;; connection timed out; no servers could be reached
>
nslookup stokkie.net 84.87.53.162
;; connection timed out; no servers could be reached
nslookup stokkie.net 92.67.169.193
;; connection timed out; no servers could be reached
You need more DNS servers.
You may also need a better defense for them / different O/S or version.
[you need to find the weakness and send it to the GYM - LOL]
Inside the options file getssl.cfg one can specify a PUBLIC_DNS_SERVER .
The public DNS servers of Google seem to work just fine for my domain.
So I use this inside .getssl/getssl.cfg :
PUBLIC_DNS_SERVER="8.8.4.4"
But somehow letsencrypt still fails with :
getssl: stokkie.net:Verify error: "detail": "DNS problem: query timed out looking up A for stokkie.net; DNS problem: query timed out looking up AAAA for stokkie.net",
That would only affect getssl. It does not affect the inbound requests to your server from the Let's Encrypt Servers.
The DNS problems noted earlier still seem a problem. The Let's Encrypt failure can also be repeated by the Let's Debug test site (see here for results).
I can use your DNS from various test servers. As noted by others already, your DNS is not responding consistently from all places.