Is my DNS not support by LE?


#1

My certificate just got expired. and I want to renew it or make a new one for my website.
My first certificate was 3 month ago I forgot how I did manage to get that , so I try use Certbot to renew it .
As you see I don’t speak English very well. so , if threr are something miss please remaind me.
I use certbot renew --dry-run to renew my certificate. and then it throw an error.
Failed authorization procedure. cal.lxserv.cn (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for cal.lxserv.cn, www.lxserv.cn (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for www.lxserv.cn

I try do the reading , but my English is just not good enough to make me understand every thing. but I think it may be some DNS problem. so I did this
dig @8.8.8.8 www.lxserv.cn
but it seems to be normal. it returns like this
`; <<>> DiG 9.9.5-3ubuntu0.14-Ubuntu <<>> @8.8.8.8 www.lxserv.cn
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1845
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.lxserv.cn. IN A

;; ANSWER SECTION:
www.lxserv.cn. 59 IN A 175.111.124.94

;; Query time: 101 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun May 14 02:44:19 JST 2017
;; MSG SIZE rcvd: 58`

I don’t know how to slove this, if it was a DNS problem , why at the first time I get the certification successfully . and why I getting this error by now.
if needed I’m using Oray.com’s ddns.


#2

Hi @laoxiaoms

why at the first time I get the certification successfully

Using logic like it worked last time it should work this time is dangerous. Lots of things may have changed and you need to work these.

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

My operating system is (include version):

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Andrei


#3

Looks like your DNS server is broken: http://dnsviz.net/d/www.lxserv.cn/dnssec/


#4

Hello @ahaw021 Thanks for reply!
My domain is:www.lxserv.cn cal.lxserv.cn

I ran this command:certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/cal.lxserv.cn.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for cal.lxserv.cn
tls-sni-01 challenge for www.lxserv.cn
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from ‘char *’ to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/cal.lxserv.cn.conf produced an unexpected error: Failed authorization procedure. www.lxserv.cn (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for www.lxserv.cn. Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cal.lxserv.cn/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: www.lxserv.cn
Type: connection
Detail: DNS problem: SERVFAIL looking up A for www.lxserv.cn

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My operating system is (include version):Ubuntu Server 14.04.5 LTS

My web server is (include version):Apache2 2.4.7

My hosting provider, if applicable, is: I host the Server at home, Internet provider is J:COM cable Internet (Japan)

I can login to a root shell on my machine (yes or no, or I don’t know):Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No

please help me .


#5

It seems a bit odd. While it is broken, i hit up a couple Unbound resolvers, and it either works or returns NXDOMAIN (due to the malfunctioning authoritative servers).

Let’s Encrypt must be failing due to configuration or version differences, or an unrelated issue. :confused:

Edit: @laoxiaoms, regardless of why Let’s Encrypt is failing, you should use a DNS provider that works right. This one may encounter issues with any DNS resolver. :sweat:


#6

@mnordhoff Thanks for reply.

I didn’t use a internet that provide a static IP address. so I am using a DynDNS service to make my domain work. and DynDNS service provider does not allow me to change DNS server(Once DynDNS is switch to ON then the everything of my domain simply turn to managed by the DynDNS provider).
my NynDNS provider is www.oray.com(Chinese)
What should I do ?


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.