Hey guys I cant create new certificate or update old certs

It worked well before but today I found that it always telling me query timed out

my domain is mobicola.com www.mobicola.com

when I use the third party tools to check it and always working well but cant use shell to run letsencrypt command to update or create new certificate

thx

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot certonly --standalone -d mobicola.com -d www.mobicola.com

IMPORTANT NOTES:

Vultr

CentOS-7.4

Vultr

Yes, Im admin.

No control panel just use shell to run letsencrypt commands

certbot --version
certbot 0.31.0

Failed authorization procedure. mobicola.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for mobicola.com, www.mobicola.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for www.mobicola.com

IMPORTANT NOTES:

Hi @winner621

there is an older check of your domain, ~~2 months old - https://check-your-website.server-daten.de/?q=mobicola.com

A lot of name server problems.

Rechecked your domain - terrible slow, no TCP support from your own name servers ns1.mobicola.com, ns2.mobicola.com.

Authoritative name servers must support TCP connections.

Same with Unboundtest - https://unboundtest.com/m/A/mobicola.com/KORWRTRT

Capsforid: timeouts, starting fallback

So first step: Update your name server configuration.

1 Like

I can’t reproduce an issue with A queries, but for me, your nameservers do not respond to AAAA queries. It seems they have severe problems of some kind.

Edit: This is unrelated, but they also respond improperly to queries with cookies.

thx bud, I’ll try again later

? ? ?

Hopefully after you get your DNS servers up to par.
See:
https://dnsspy.io/scan/mobicola.com
https://ednscomp.isc.org/ednscomp/bf6f049a42

Hi bro, yesterday u told me that authority server must support the tcp request & today I added the code to support the dns over tcp but Im still get the same err like yesterday, could u pls check it again for me? or Im not sure maybe the authority dns server need to support AAAA records query or the others necessary configuration? I looked rfc7766 and rfc1035 but didnt find the details except the tcp message must prefixed with 2 bytes to show the message’s lenght without this 2 bytes and I done it.

thank u so much.

Use the online tools to check your configuration.

A dns server only with ipv4 is ok. But if your dns server has AAAA records, these should work.

So

  • fix your ipv6 (or)
  • remove the ipv6, so your name server has only an ipv4 address

Can I ask why you’re implementing your own authoritative nameserver? As you know, it’s not easy. And there are a number of good ones already.

A couple other things:

1: https://dnsviz.net/d/mobicola.com/dnssec/

2: Let’s Encrypt’s resolvers use draft-vixie-dnsext-dns0x20-00. As DNSViz mentions, your server does not entirely support this: The query name in your responses is always lowercase, instead of copying the case from the query. Using lowercase is standards compliant, since the only document saying otherwise is an expired Internet Draft from 2008, but doing what Let’s Encrypt wants will make resolution work more reliably with them. (And with other resolvers that do the same thing.)

(Note: The case of the names in the record sets in the response doesn’t matter, just the question section.)

3:

You can’t just drop legitimate queries. You don’t need to implement specific handling for each of the ~65,000 record types. (I mean, a few of them are special, but the rest aren’t.) You just have to return nodata or NXDOMAIN as appropriate.

As a consequence, resolvers use packet loss to signal that an authoritative nameserver has bugs related to cookies, or other EDNS handling, or is just down, and they will downgrade the features they use to talk to it, and eventually stop trying at all for a while, making all of your stuff down from the perspective of that resolver.

yes, our bussiness need to reply different response to difference area. likes in EU, one domain we’ve 20~30+ IP addresses and we need to reply the corresponding IP address to the different countries like German or France.

Other nameservers – and proprietary hosted DNS services – have geolocation features, though.

we have many indexes to check the final target clients likes country, ip, client version, languages, street, ISP line, we are unwillingly to do this by ourself too.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.