Getssl: "DNS problem: query timed out looking up A for stokkie.net

Unfortunately, I can't "see" what you "see":

dig +tcp +norecurse stokkie.net @ns1.stokkie.net
;; communications error to 84.87.53.162#53: connection reset

dig +tcp +norecurse stokkie.net @ns2.stokkie.net
; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> +tcp +norecurse stokkie.net @ns2.stokkie.net
;; global options: +cmd
;; connection timed out; no servers could be reached

dig +tcp +norecurse stokkie.net @84.87.53.162
;; communications error to 84.87.53.162#53: end of file
;; communications error to 84.87.53.162#53: end of file

dig +tcp +norecurse stokkie.net @92.67.169.193
; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> +tcp +norecurse stokkie.net @92.67.169.193
;; global options: +cmd
;; connection timed out; no servers could be reached

I see this

$ nslookup
> stokkie.net
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   stokkie.net
Address: 84.87.53.162
> set q=soa
> stokkie.net
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
stokkie.net
        origin = ns1.stokkie.net
        mail addr = hostmaster.stokkie.net
        serial = 2022091301
        refresh = 43200
        retry = 3600
        expire = 1814400
        minimum = 86400

Authoritative answers can be found from:
> server ns1.stokkie.net
Default server: ns1.stokkie.net
Address: 84.87.53.162#53
> stokkie.net
;; connection timed out; no servers could be reached
>

And https://dnsspy.io/scan/stokkie.net

image1050×736 20.4 KB

@Bruce5051, set server to ns1.stokkie.net & then to ns2.stokkie.net

nslookup
server ns1.stokkie.net
stokkie.net
server ns2.stokkie.net
stokkie.net

dig +tcp +norecurse stokkie.net @92.67.169.193 should work,
if this command is blocked, then its blocked by a third party upstream,
as the ISP KPN has unblocked it today. Access to 84.87.53.162
tcp port 53 is pending.

$ nslookup
> stokkie.net
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   stokkie.net
Address: 84.87.53.162
> server ns1.stokkie.net
Default server: ns1.stokkie.net
Address: 84.87.53.162#53
> stokkie.net
;; connection timed out; no servers could be reached
> server ns2.stokkie.net
Default server: ns2.stokkie.net
Address: 92.67.169.193#53
> stokkie.net
;; connection timed out; no servers could be reached
>

It should, but it doesn't:

dig +tcp +norecurse stokkie.net @92.67.169.193
; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> +tcp +norecurse stokkie.net @92.67.169.193
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig +tcp +norecurse stokkie.net @92.67.169.193

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> +tcp +norecurse stokkie.net @92.67.169.193
;; global options: +cmd
;; connection timed out; no servers could be reached

https://rdap.verisign.com/net/v1/domain/stokkie.net

https://rdap.networksolutions.com/rdap/domain/STOKKIE.NET

And from ICANN Lookup

image1179×967 14.3 KB

The 2 most likely WHOIS (after ICANN) for your domain.

https://www.networksolutions.com/domains/whois

But this is what I saw for dig +tcp +norecurse stokkie.net @84.87.53.162

$ dig +tcp +norecurse stokkie.net @84.87.53.162
;; communications error to 84.87.53.162#53: end of file

;; communications error to 84.87.53.162#53: end of file

As did I:

Why are ns1.stokkie.net and ns2.stokkie.net name servers responding differently?
ns1.stokkie.net is the primary name server listed in the DNS SOA

Both are having their own set of trouble(s).
[causes yet unknown]

From my end, neither is reachable via UDP, nor TCP.

SOA:
The Internet sees only authoritative servers; And treats them as equals.

nslookup -q=ns stokkie.net. a.gtld-servers.net.

stokkie.net     nameserver = ns1.stokkie.net
stokkie.net     nameserver = ns2.stokkie.net
ns1.stokkie.net internet address = 84.87.53.162
ns2.stokkie.net internet address = 92.67.169.193

Right both are authoritative name servers and therefor should give the same responses.
But the SOA has the primary authoritative name server, so I typically start with the SOA's first and then find the remaining authoritative name servers from there.

And I see a slightly different response, the additional

Non-authoritative answer:
*** Can't find stokkie.net.: No answer

Authoritative answers can be found from:

$ nslookup -q=ns stokkie.net. a.gtld-servers.net.
Server:         a.gtld-servers.net.
Address:        192.5.6.30#53

Non-authoritative answer:
*** Can't find stokkie.net.: No answer

Authoritative answers can be found from:
stokkie.net     nameserver = ns1.stokkie.net.
stokkie.net     nameserver = ns2.stokkie.net.
ns1.stokkie.net internet address = 84.87.53.162
ns2.stokkie.net internet address = 92.67.169.193
$
$ nslookup -q=ns stokkie.net. ns1.stokkie.net.
;; connection timed out; no servers could be reached

$ nslookup -q=ns stokkie.net. ns2.stokkie.net.
;; connection timed out; no servers could be reached

After some tests at Let's Debug all
three methods of testing : HTTP-01, DNS-01 and TLS-ALPN-01
resulted in the same error :

Test result for stokkie.net using tls-alpn-01
LetsEncryptStaging
DEBUG
Challenge update failures for stokkie.net in order https://acme-staging-v02.api.letsencrypt.org/acme/order/5751349/4803159424
acme: error code 400 "urn:ietf:params:acme:error:dns": DNS problem: SERVFAIL looking up A for stokkie.net - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for stokkie.net - the domain's nameservers may be malfunctioning

looking on google for the exact same error i found this thread :
Acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVF .
According the answer provided there, it seems to be the case that
the DNSSEC was broken, in above example.

As i don't have DNSSEC, what are the exact DNS requirements of acme for ones
DNS configuration ? a Special TXT for the acme server ?

Here are my dns and website details :

Let's Encrypt accesses the Authoritative Name Servers.
stokkie.net Authoritative Name Servers are not responding.

$ nslookup
> stokkie.net
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   stokkie.net
Address: 84.87.53.162
> set q=aaaa
> stokkie.net
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
*** Can't find stokkie.net: No answer
> set q=soa
> stokkie.net
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
stokkie.net
        origin = ns1.stokkie.net
        mail addr = hostmaster.stokkie.net
        serial = 2022091301
        refresh = 43200
        retry = 3600
        expire = 1814400
        minimum = 86400

Authoritative answers can be found from:
> set q=ns
> stokkie.net
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
stokkie.net     nameserver = ns2.stokkie.net.
stokkie.net     nameserver = ns1.stokkie.net.

Authoritative answers can be found from:
> server ns1.stokkie.net.
Default server: ns1.stokkie.net.
Address: 84.87.53.162#53
> stokkie.net
;; connection timed out; no servers could be reached

> set q=soa
> stokkie.net
;; connection timed out; no servers could be reached

> set q=a
> stokkie.net
;; connection timed out; no servers could be reached

> set q=aaaa
> stokkie.net
;; connection timed out; no servers could be reached

> server ns2.stokkie.net.
Default server: ns2.stokkie.net.
Address: 92.67.169.193#53
> stokkie.net
;; connection timed out; no servers could be reached

> set q=a
> stokkie.net
;; connection timed out; no servers could be reached

> set q=soa
> stokkie.net
;; connection timed out; no servers could be reached

> set q=ns
> stokkie.net
;; connection timed out; no servers could be reached

>

~$ dig +tcp +norecurse stokkie.net @92.67.169.193

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> +tcp +norecurse stokkie.net @92.67.169.193
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig +tcp +norecurse stokkie.net @84.87.53.162
;; communications error to 84.87.53.162#53: connection reset

You need solid working and accessible DNS Authoritative Name Servers.
Currently this is blocking issue.

Since these are Domain Validation (DV) certificates the Domain Name System (DNS) is used extensively in the validation process as well a allowing us to assist here on Let's Encrypt community.
DNS Queries need to give consistent results from any location on the Internet, all your authoritative DNS Servers for the Domain need to also give consistent results as well.