How can I get more detail when it shows "Error: The server could not connect to the client for DV"


#1

As I always get this error, after the auth with ‘webroot’ method.

Failed authorization procedure. www.lovelyping.com (http-01): urn:acme:error:connection :: The server could not connect to the client for DV :: Server failure at resolver

IMPORTANT NOTES:
 - The following 'urn:acme:error:connection' errors were reported by
   the server:

   Domains: www.lovelyping.com
   Error: The server could not connect to the client for DV

and in the log

2015-12-08 00:42:04,038:INFO:letsencrypt.reporter:Reporting to user: The following 'urn:acme:error:connection' errors were reported by the server:

Domains: www.lovelyping.com
Error: The server could not connect to the client for DV

Is there any way I can get more details about why this error incurred? Didn’t find valid information in the log.

I tried with another domain, which is done before, I set its’ NS to my own BIND, and I captured the DNS packets during the time letsencrypt client is running, I saw some DNS request, some of the characters of the domain are in lower-case, some in upper-case.

What if the nameserver response the requests with converting all letters to lowercase? I
s this why I always got errors when the domain’s nameserver response all requests in lower-case letters?


#2

http://www.lovelyping.com doesn’t seem to run a webserver, are you trying standalone mode or…?


#3

Yes, webroot mode definitely requires that there’s an existing web server running on that machine!


#4

The detail part is at the end of the string, and sometimes easy to miss. Also, this message is not as clear as it could be, but indicates a DNS problem.

You mentioned that your DNS resolver returns all lowercase responses. We use unbound for DNS queries, which uses randomly mixed-case queries and expects the resolver it’s talking to to respond with the same case. This adds a few more bits of entropy to queries as protection against spoofing.

I’m afraid you’ll have to use a resolver that echoes the same case as the query.


#5

Should the nameserver response DNS request with type CAA(257)?

I made some tests these two days, but I found different results, the day before yesterday, I found that if the nameserver do not response CAA requests, it’s OK, I can still get the certificate.

But today I found that if the nameserver do not response CAA requests, I got “timed out” error, and if the nameserver response CAA requests,there’s no error incurred, no matter the nameserver preserve the case or not.

Is the auth method changing?

And does “Server failure at resolver” mean there’s error in nameserver?


#6

This is not required. We made a fix on Monday to the CAA-checking code, which may be triggering a higher incidence of DNS timeouts. I can take a look at the logs, thanks for reporting.