Increase in renewal DNS failures

I have 72 certificates on a server, and running certbot renew every 12 hours. Lately, I’ve seen an increase in secondary validation DNS errors: 6 times in the last 2.5 weeks. The domains are using name servers at Cloudflare and Rackspace. None of our other monitored services have triggered alerts, so I suspect Let’s Encrypt’s network has been having issues. Has anyone else seen this?

2020-07-21T00:01:39.803286+00:00

2 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: gieseswany.com
   Type:   None
   Detail: During secondary validation: DNS problem: query timed out
   looking up CAA for com
 - The following errors were reported by the server:

   Domain: menteenbalancecom.alias.strangecode.com
   Type:   None
   Detail: During secondary validation: DNS problem: query timed out
   looking up CAA for menteenbalancecom.alias.strangecode.com

   Domain: www.contemplarte.org
   Type:   None
   Detail: During secondary validation: DNS problem: query timed out
   looking up CAA for www.contemplarte.org

2020-07-25T00:01:40.048264+00:00

2 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: morningthundercafe.com
   Type:   None
   Detail: During secondary validation: No valid IP addresses found
   for morningthundercafe.com
 - The following errors were reported by the server:

   Domain: think-portland.com
   Type:   None
   Detail: During secondary validation: DNS problem: networking error
   looking up A for think-portland.com

2020-07-26T00:00:59.365046+00:00

2 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: chicoweb.design
   Type:   None
   Detail: During secondary validation: No valid IP addresses found
   for chicoweb.design

   Domain: identity-international.com
   Type:   None
   Detail: During secondary validation: DNS problem: networking error
   looking up A for identity-international.com

2020-08-02T00:00:58.937809+00:00

2 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ministry-to-children.com
   Type:   None
   Detail: During secondary validation: No valid IP addresses found
   for ministry-to-children.com

   Domain: ministry-to-childrencom.alias.strangecode.com
   Type:   None
   Detail: During secondary validation: DNS problem: query timed out
   looking up CAA for strangecode.com

2020-08-05T00:00:57.279056+00:00

2 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: kilometerzero.org
   Type:   None
   Detail: During secondary validation: DNS problem: networking error
   looking up A for kilometerzero.org

   Domain: kilometerzeroorg.alias.strangecode.com
   Type:   None
   Detail: During secondary validation: DNS problem: networking error
   looking up A for kilometerzeroorg.alias.strangecode.com

2020-08-07T00:00:59.007494+00:00

2 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.frayons.com
   Type:   None
   Detail: During secondary validation: DNS problem: query timed out
   looking up CAA for frayons.com

2020-08-08T00:01:09.073189+00:00

1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.lists.burb.tv
   Type:   None
   Detail: During secondary validation: DNS problem: networking error
   looking up A for www.lists.burb.tv

Hi @com

there was a topic with such a problem.

There are GoDaddy name servers. They have a bad configuration, but checking one of your domain - frayons.com - Make your website better - DNS, redirects, mixed content, certificates - that's very good.

A Good (1 - 3.0):: An average of 1.0 queries per domain name server required to find all ip addresses of all name servers.

And Cloudflare with a dns timeout sounds impossible.

I should have mentioned that all these failures are transient: they are resolved the next time certbot renew runs.

Such transient issues with secondary validation are probably very difficult – if not impossible – to debug. Could be anything from routing issues somewhere around the globe to MTU issues or something like that.

We do know some things:

This type of error seems very rare and I believe it could only be raised of there was an internal networking problem on Let's Encrypt's side, where Boulder can't communicate with Unbound. Maybe a server in the pool died and you got unlucky.

That is distinct from a generic query timeout, where the blame may well be placed on an external nameserver.

I guess we can wait and see whether more people report the same. Unless Let's Encrypt want to chime in with whether they already know about it.

2 Likes

Thanks @_az, that’s what why I reported this – I expect that I am not alone in seeing this error, since it seems to be coming from Let’s Encrypt’s side.

BTW I just added a new DNS problem: networking error to my post from yesterday. :disappointed:

1 Like

A post was split to a new topic: During secondary validation - Problem no A-record or Servfail

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.