Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: itnc.ro

I ran this command: certbot certonly -d itnc.ro -d www.itnc.ro -d mx.itnc.ro -d imap.itnc.ro

It produced this output: Domain: itnc.ro
Type: dns
Detail: DNS problem: query timed out looking up A for itnc.ro; DNS problem: query timed out looking up AAAA for itnc.ro

My web server is (include version): (2.4.62-1~deb12u2)

The operating system my web server runs on is (include version): running Debian GNU/Linux trixie/sid

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Hi @andreid,

Using the online tool Let's Debug yields these results https://letsdebug.net/itnc.ro/2428136
At least presently the domain's DNS seems messed up.

image1040×889 45.2 KB

image996×512 24.5 KB

Hi

I recently set up my server and found these errors. The ns of the domain is ns.itnc.ro.
If you run

dig @1.1.1.1 itnc.ro
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @1.1.1.1 itnc.ro
; (1 server found)
;; global options: +cmd
;; no servers could be reached

It seems there's a communication error.

If i run

dig @90.84.237.182 itnc.ro

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @90.84.237.182 itnc.ro
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9144
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 652b5eace6eab3a70100000068096df0eaf03706e7bb17a6 (good)
;; QUESTION SECTION:
;itnc.ro. IN A

;; ANSWER SECTION:
itnc.ro. 259200 IN A 90.84.237.182

;; Query time: 3 msec
;; SERVER: 90.84.237.182#53(90.84.237.182) (UDP)
;; WHEN: Thu Apr 24 01:47:12 EEST 2025
;; MSG SIZE rcvd: 80

I get a good response.

Can you make an image of the problem?

Thanks,

Let's Encrypt doesn't use general public DNS servers; they query the authoritative DNS for your domain. But there don't seem to be any published authoritative DNS servers for your domain:

 dan@Dan-MacBook-Pro-2019  ~  dig ns itnc.ro

; <<>> DiG 9.10.6 <<>> ns itnc.ro
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50666
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 09 6e 6f 20 53 45 50 20 6d 61 74 63 68 69 6e 67 20 74 68 65 20 44 53 20 66 6f 75 6e 64 20 66 6f 72 20 69 74 6e 63 2e 72 6f 2e ("..no SEP matching the DS found for itnc.ro.")
;; QUESTION SECTION:
;itnc.ro.			IN	NS

;; Query time: 1097 msec
;; SERVER: 100.100.100.100#53(100.100.100.100)
;; WHEN: Wed Apr 23 18:55:15 EDT 2025
;; MSG SIZE  rcvd: 83

The online tools Let's Debug and https://unboundtest.com/ are of assistance when debugging Let’s Encrypt issuance issues.

Other tools to assist debugging DNS.

1. https://dnsspy.io/
2. https://dnsviz.net/
3. https://dnssec-debugger.verisignlabs.com/
4. Zonemaster
5. EDNS Compliance Tester

And the whois for the domain name

image942×857 24.4 KB

Edit

And a noisier output of what @danb35 showed.

Hello,

I dont mind having errors on my server afaik it works for you!

One tool i use is dnschecker.org.

Here is the result for my site:

Can you help?

Thanks,

Hello,

Here's what i have with the following command

dig ns itnc.ro

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> ns itnc.ro
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53813
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;itnc.ro. IN NS

;; ANSWER SECTION:
itnc.ro. 248545 IN NS ns.itnc.ro.

;; Query time: 7 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Thu Apr 24 02:06:18 EEST 2025
;; MSG SIZE rcvd: 53

Can you help?

You need to have Authoritative Name Servers responding for the domain name itnc.ro,
presently whois and the dig ns itnc.ro show ns.itnc.ro. Authoritative Name Server.
In general there should be at least 2 Authoritative Name Servers.

So do at least one of these.

1. Get ns.itnc.ro. to respond properly for the domain name itnc.ro
2. Edit the DNS records for the domain name itnc.ro adding Authoritative Name Servers that do respond correctly.

Are you sure it's going to work?
I will take me some time to do it, that's why i'm asking.

Meanwhile, how can we explain the dnschecker result?

Thanks,

Please see Multi-Perspective Validation & Geoblocking FAQ

These are not the Authoritative Name Servers.

image581×991 45.5 KB

The result that's showing "not resolved" in most of the world for A records? And the same for NS records (it's only succeeding in 11 of 29 locations)?

Your DNS is very badly broken, and you need to fix it. That site is one illustration of how broken it is. Once you fix it, I expect you'll find that Let's Encrypt will work well for you.

Yes Dan,
The result is for A records. Almost the same for ns record.
I dont' get it! Why it is not working from all nameservers and it works just for some?

Thanks,

P.S. Can you tell which nameserver the letsencrypt validation bot runs on?

The Authoritative Name Servers.

Hi @Bruce5051 ,

It's 2:47 AM in Romania now. I really dont' feel like joking.

I need to go get some sleep. Tomorrow i have to go to work.

I need numbers! IPs!

Thanks,

Let's Encrypt uses the numbers that your server provides. However they are not working

wrong ski. The number my dns server's letsencrypt's dns server provides.
Am I wrong?

Neither do we. Let's Encrypt, by design, validates from around the globe. As a result, your DNS servers (and yes, that should be plural) need to respond worldwide. So if you're using any kind of geoblocking, that's the first thing to stop doing.

But the DNSchecker result you linked illustrates the problem--your DNS server (singular, which is surely at least part of the problem) isn't accessible to most of the world. We can't help you fix that.

Your server is malfunctioning. That is what we are trying to tell you

:~$ dig +trace itnc.ro

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> +trace itnc.ro
;; global options: +cmd
.                       65164   IN      NS      c.root-servers.net.
.                       65164   IN      NS      d.root-servers.net.
.                       65164   IN      NS      e.root-servers.net.
.                       65164   IN      NS      f.root-servers.net.
.                       65164   IN      NS      g.root-servers.net.
.                       65164   IN      NS      h.root-servers.net.
.                       65164   IN      NS      i.root-servers.net.
.                       65164   IN      NS      j.root-servers.net.
.                       65164   IN      NS      k.root-servers.net.
.                       65164   IN      NS      l.root-servers.net.
.                       65164   IN      NS      m.root-servers.net.
.                       65164   IN      NS      a.root-servers.net.
.                       65164   IN      NS      b.root-servers.net.
;; Received 271 bytes from 127.0.0.53#53(127.0.0.53) in 24 ms

ro.                     172800  IN      NS      dns-at.rotld.ro.
ro.                     172800  IN      NS      dns-c.rotld.ro.
ro.                     172800  IN      NS      primary.rotld.ro.
ro.                     172800  IN      NS      sec-dns-a.rotld.ro.
ro.                     172800  IN      NS      sec-dns-b.rotld.ro.
ro.                     172800  IN      NS      dns-ro.denic.de.
ro.                     86400   IN      DS      61039 8 2 7C53F10E86835711C3CC6BA9632E4295A077E6A0A148059195371C3E 5D07E10F
ro.                     86400   IN      RRSIG   DS 8 1 86400 20250506170000 20250423160000 53148 . VXNjecbnCQmOIIYEn1fsKkRIlkYt/I/OsV9WGZOdKLMq6GpmqETjsqlY hhJLizcQAgMEngT3VnzzkbtPxdjNGZNSEs/yDrgt6M/sVJxyzmRdUOok XT7A7f0/rZbmdqTFfVtifL+hNet4nQfvQOheMdFzTNkYjcZ1wPYFoU83 s6RU+8B3dEu+S6GYD1KwKQs152HU/LhX5W0ocEZUN8JsklALSaFsyDy8 +WUCzqFVhBjLeQGk9D4OgI9dTosOPeGdcc5VIDlNxfhqZKA8z68w6DKl XE70Z3g9ybjen4E3NzM4IiOlgoDLMbA3evJYHQt234agEwsXcaePCTZX WnLqNA==
;; Received 755 bytes from 202.12.27.33#53(m.root-servers.net) in 39 ms

itnc.ro.                86400   IN      NS      ns.itnc.ro.
itnc.ro.                86400   IN      DS      47357 8 2 00F242D90FE02B65883ADC1993EB8EFAE63B89FD135EB5F7ED657F59 3D8857FE
itnc.ro.                86400   IN      RRSIG   DS 8 2 86400 20250523223210 20250423214805 36538 ro. FyGMwh4NSA4YQ4wKUEHkwM00CDtYM0oH/09Jbg+A5kHSMe9vc6pb1b8Z CnoKG8QAPX7nyydRcelFZOFjOZXnTyfa2SVi4fcEtV6wbmUcvCjE56hs ors6qwSSM4Dul6XNFhlpBU5IdcJNeTruHoNqBJAWxQgKqmvNhxpuKiOe v4Q=
couldn't get address for 'ns.itnc.ro': failure
dig: couldn't get address for 'ns.itnc.ro': no more

See the last line. That is what I get when trying to recursively resolve your domain

couldn't get address for 'ns.itnc.ro': failure

That's the response i've been looking for?

Thanks,

MAGA

Hello,

The answer i've been looking for is on your android phone:

Try access http://www.itnc.ro/ from your mobile.

Thanks,