HTTP challenge fails: Timeout during connect, DNS problem

Help
1

My domain is:

25.cctld.uz
cnt0.www.uz
www.uz
corp.uz

I ran this command:

certbot certonly

It produced this output:

and for other domains:

I ran this command:

certbot renew

It produced this output:

  • The following errors were reported by the server:
    Domain: cnt0.www.uz
    Type: dns
    Detail: DNS problem: query timed out looking up A for cnt0.www.uz
    (same for other domains)

My web server is (include version):
nginx/1.12.2

The operating system my web server runs on is (include version):
CentOS 7.7

My hosting provider, if applicable, is:

Uzinfocom/Uztelecom/Micros

I can login to a root shell on my machine.

I'm not using a control panel to manage my site.

The version of my client is:
certbot 0.37.2

I tested everything. Initially, when I got message of firewall problem, I tried to reproduce certbot behavior: put test html page to my webroot. In order to check url:
http://25.cctld.uz/.well-known/acme-challenge/ZlwxuvdITtWgpL5kaIH3JmGrQvUvJbBMdtrR5YL8Sp8
I put file using filesystem path with:
%DOCUMENTROOT%/.well-known/acme-challenge/ZlwxuvdITtWgpL5kaIH3JmGrQvUvJbBMdtrR5YL8Sp8
And tested it with curl. Link worked fine.
After receiving DNS problem, I tried to nslookup/dig my domains from foreign-hosted vps, all dns records are returned with no errors.
Symptoms are very similar to this topic:

but with different combination of ISP/TLD I still can use certbot to sign/renew certificates, even with same web server configuration.

2

Hi @Havsfrun

there is no problem visible - https://check-your-website.server-daten.de/?q=25.cctld.uz

Domainname Http-Status redirect Sec. G
http://25.cctld.uz/
91.212.89.42 302 https://25.cctld.uz/ Html is minified: 110,00 % 0.230 A
https://25.cctld.uz/
91.212.89.42 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 200 Html is minified: 100,00 % 2.664 N
Certificate error: RemoteCertificateChainErrors
http://25.cctld.uz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
91.212.89.42 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 109,46 % 0.224 A
Not Found
Visible Content: 404 Not Found nginx

Port 80 is open and answers.

Do you have a regional firewall?

Website Uptime Test: Check Website Status | Uptrends doesn't see a problem.

3

Thank you for your response.
Today I reached network administrators of our regional upstream ISP, they ensured me that there is no firewalls that block such kind of traffic on their side, their only advice was to double-check firewalls on my side.
But I am absolutely sure there is no any firewall problem, because it reproducing on any server with completely different OSes and different IPs on our subnet, even with disabled firewalls.
I do not know what to do, even stable working for 2 year services stopped receiving their cert updates, and problem is not traceable with externsl dns/http checkers.

4

upd.: I tried debugger, it returns interesting result:

https://letsdebug.net/corp.uz/66409?debug=y

despite of HTTPCheck section was able to resolve server’s IP, LetsEncryptStaging returns DNS problem.

5

Looks like the ns.uz name server has sometimes problems ( https://check-your-website.server-daten.de/?q=corp.uz ):

uz

A timeout checking

X Nameserver Timeout checking Echo Capitalization: ns.uz

May be a temporary problem because unboundtest

https://unboundtest.com/m/A/corp.uz/WJYYYKRZ

doesn't report an error. Letsdebug and Letsencrypt use internal unbound instances.

6

I’m back with results. Somehow new certificates are randomly getting signed. I’m still receiving timeout errors (Letsencrypt reporting error code 400), but after few retries most of domains are signed now.
Configurations of web servers and upstream network were not changed.

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.