I need Help, cant renew certificate!

Help
1

Same error on all servers in my datacenter…

[root@SDDTIGLPI-37 ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/suporte.sema.ma.gov.br.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for suporte.sema.ma.gov.br
TLS-SNI-01 is deprecated, and will stop working soon.
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (suporte.sema.ma.gov.br) from /etc/letsencrypt/renewal/suporte.sema.ma.gov.br.conf produced an unexpected error: Failed authorization procedure. suporte.sema.ma.gov.br (tls-sni-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for suporte.sema.ma.gov.br. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/suporte.sema.ma.gov.br/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/suporte.sema.ma.gov.br/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: suporte.sema.ma.gov.br
    Type: None
    Detail: DNS problem: query timed out looking up A for suporte.sema.ma.gov.br

I tested my NS1 and NS2 and they seem to be in compliance…
I’m in trouble, please help.

2

Hi,

Your domain is resolving correctly with public resolvers, but not on the authoritative nameservers.

Checking via DNSVIZ, Unbound test and dig shows errors.
http://dnsviz.net/d/suporte.sema.ma.gov.br/dnssec/
https://unboundtest.com/m/A/suporte.sema.ma.gov.br/WLCZNCPT

Mainly, NS2.sema.ma.gov.br is not responding to queries from my IP. (and I believe that's what Let's Encrypt validation servers are experiencing now... Although not sure which NS was having issues when they are query to.)

Thank you

3

After you fix the DNS problem, you will need to start addressing this coming one (real soon):

4

Hi @snetto

your nameserver are terrible. Copying the screenshot because the colors are not copied.

br

Your ns1.sema.ma.gov.br has no errors. But the ns2 doesn't support TCP, same with ns4.ma.gov.br, calhau.ma.gov.br and coqueiro.ma.gov.br.

Letsencrypt checks CAA entries. If your domain doesn't have a CAA entry, the parent domain is checked. If the nameservers are not working, this is a problem.

Is it possible that you create a CAA entry with suporte.sema.ma.gov.br. So Letsencrypt wouldn't check the parent domains.

5

I'm concerned. None of ma.gov.br's nameservers support TCP, but their DNSKEY record set is close to 1.2 KB.

Let's Encrypt is unable to resolve -- let alone issue certificates for -- anything under ma.gov.br.

Let's Encrypt made the EDNS buffer size change on 2018-11-15, and haven't issued a certificate for the zone since 2018-11-14.

https://crt.sh/?Identity=%.ma.gov.br&iCAID=16418

6

I’m fixing the errors, thanks for the support.

7

I’m fixing the errors, thanks for the support.

8

I’m fixing the errors, thanks for the help.

9

Guys sorry for the delay in responding, the delay was due to the festivities, the problem persists.

I do not know how to solve this, but I think it is occurring due to a flaw or changes in domain validation.

So, basically, I’m going to explain my DNS infrastructure.

I have 2 DNS servers, NS1.sema.ma.gov.br and NS2.sema.ma.gov.br, both servers have been configured in traditional mode (without DNSSEC) and there is no IPv6 available.

I enabled DNSSEC and created the corresponding CAA records for each server, but the problem still persists.

This domain, “sema.ma.gov.br” is the son of ma.gov.br, ma.gov.br is another institution (another administrative hierarchy), I am not responsible for their DNS servers, even informing about the TCP block protocol, we did not get a response. So I need to solve the problem here in the “affiliate”

Here is the result of Let 'Debug:

https://letsdebug.net/sigla.sema.ma.gov.br/14067

As I said earlier, I believe it is some change in domain validation or validation of DNS servers.

So, I ask you, is there any change in the prerequisites for using Let’s Encrypt? What were the changes? Is there any relevant documentation?

Again the error of one of the servers:

root@SDDTIAPISIGLA-046:~# certbot --apache certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: sigla.sema.ma.gov.br

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sigla.sema.ma.gov.br
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. sigla.sema.ma.gov.br (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for sigla.sema.ma.gov.br

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: sigla.sema.ma.gov.br
    Type: None
    Detail: DNS problem: query timed out looking up A for
    sigla.sema.ma.gov.br
    root@SDDTIAPISIGLA-046:~#

Thanks in advance for your attention and support.

11

As it did not work I disabled to not take risks of some type of problem with other applications.

12

What website is this? Could you share the plink pls?

13

I mentioned what's happening -- or at least one critical issue -- a few posts ago:

Let's Encrypt updated the configuration of their DNS resolvers on 2018-11-15. ma.gov.br is not compliant with the DNS standards: its nameservers do not support TCP. Let's Encrypt will not be able to resolve ma.gov.br, or any subdomains of ma.gov.br, until it is fixed.

You're not responsible for ma.gov.br, but you rely on it, and it doesn't work correctly. There's nothing you can do except contact the people who run ma.gov.br and ask them to fix their nameservers.

14

Oi @snetto, feliz ano novo! :tada: :fireworks: :champagne:

Infelizmente, nosso colega @mnordhoff tem razão aqui; mesmo que você não seja o administrador do servidor DNS, você depende dele para conseguir um novo certificado da nossa AC. Caso você não conseguir consertar a funcionalidade desse serviço, você precisará obter o certificado de outra AC, ou usar outro nome de domínio.

Infelizmente, alguns outros responsáveis por sites governamentais brasileiros nesse fórum tiveram experiências desagradáveis tentando atrair a atenção dos seus administradores DNS, talvez porque a nossa AC é bem mais exigente do que qualquer navegador quanto à conformidade com padrões técnicos. (E alguns estados brasileiros têm servidores DNS comprados de terceiros que aparentemente só atualizam seus softwares ocasionalmente, mesmo que tenham problemas técnicos de interoperabilidade!)

Para esclarecer um pouco o problema específico aqui, o protocolo DNS pode funcionar ou com UDP ou com TCP. A opção mais comum é UDP, e a grande maioria dos pedidos na Internet usam UDP. Entretanto, respostas especialmente grandes precisam da opção TCP. A resposta do servidor responsável aqui incluí muitos dados e na prática a nossa AC precisa receber a resposta por meio de TCP, não UDP. (Isso corresponde ao comportamento de alguns, não todos, dos clientes DNS, mas o nosso é relativamente estrito por motivos de segurança.)

Os detalhes técnicos foram apresentados no link que @mnordhoff deu acima (“EDNS Buffer Size Changing to 512 Bytes”), onde @cpu escreveu:

When we proposed this mitigation we identified two potential downsides:

Authoritative resolvers that return large responses but don’t support TCP would stop working. […]

(‘Ao sugerir essa correção, identificamos duas desvantagens potenciais: Resolvadores autoritativos que retornam respostas grandes sem ser capazes de usar TCP parariam de funcionar [com o nosso serviço]. […]’)

As pesquisas do @cpu e seus colegas indicaram que poucos domínios seriam afetados por esse problema, mas infelizmente, o seu é entre os poucos domínios afetados. :frowning:

15

There is the website - https://check-your-website.server-daten.de/?q=suporte.sema.ma.gov.br

Someone checked your domain today. Your ma.gov.br breaks your dnssec:

br

16

Great. Someone tested https://check-your-website.server-daten.de/?q=sigla.sema.ma.gov.br

and now, ma.gov.br has fixed the DNSSEC errors and is “green”.

br
2019-01-02.sigla.sema.ma.gov.br.png597×781 24.3 KB

And the name servers are also updated.

17

Hello everyone!
Guys they fixed the error.
All servers are working again with a valid let’s encrypt certificate.
As you said the problem was the tcp protocol blocked in “ma.gov.br”.
In the next days i will change my NS servers to DNSSEC.
Thank you very much for the support and attention.

3 Likes
18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.