LDNS error - when renewing certficates with getssl

My domain is:pfeiffer-koberstein-immobilien.de

I ran this command for renewing the certificates:
getssl pfeiffer-koberstein-immobilien.de -w /pathworkingdirectory/.getssl -a
It produced this output:
Error: error sending query: General LDNS error
Error: error sending query: General LDNS error
Error: error sending query: General LDNS error
Error: error sending query: General LDNS error
Error: error sending query: General LDNS error
Error: error sending query: General LDNS error

My web server is (include version):
apache 2.4.7 ubuntu

The operating system my web server runs on is (include version):
Linux ubuntu 14.04 lts, remote-system, place of the certificates

archlinux 5.10-lts, local system, where getssl ist running, for renewing and sending to remote-system
Info: the certificates were generated with ubuntu 16.04, getssl running system

My hosting provider, if applicable, is:
Strato, root-server
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): getssl 2.36, latest version on GitHub - srvrco/getssl: obtain free SSL certificates from letsencrypt ACME server Suitable for automating the process on remote servers.

That looks like an error getssl is having with the DNS library it uses. That is better addressed to the developer of getssl at GitHub - srvrco/getssl: obtain free SSL certificates from letsencrypt ACME server Suitable for automating the process on remote servers.

2 Likes

Hi @iksmax

I'm one of the maintainers of getssl. I've not seen that error before, but I've not use the ldns library or archlinux.

Can you run getssl with the -d debug option and either post the output here or on github - I think drill is returning an error and with the debug output I should be able to track down the problem.

3 Likes

@iksmax
Does DNS work on your system/server?

1 Like

Hi timkimber,

thanks for your answer. Here's the -d -output:

detected os type = linux

Running \e[01;31m ========= \e[01;37mSystemRescue 8.05 (x86_64)\e[01;31m ======== \e[01;37m\l\e[00;37m/6\e[01;31m =========
\e[00;31mhttps://www.system-rescue.org/

\e[00;31m*\e[01;31m Console environment\e[00;37m :
Run \e[01;37msetkmap\e[00;37m to choose the keyboard layout

\e[00;31m*\e[01;31m Graphical environment\e[00;37m :
Type \e[01;37mstartx\e[00;37m to run the graphical environment
X.Org comes with the XFCE environment and several graphical tools:
\e[00;31m-\e[00;37m Partition manager: .. \e[01;37mgparted\e[00;37m
\e[00;31m-\e[00;37m Web browser: ........ \e[01;37mfirefox\e[00;37m
\e[00;31m-\e[00;37m Text editor: ........ \e[01;37mfeatherpad\e[00;37m

checking for required which ... /usr/bin/which

checking for required openssl ... /usr/bin/openssl

checking for required curl ... /usr/bin/curl

checking for dig ... /usr/bin/dig

function dig found at /usr/bin/dig - setting DNS_CHECK_FUNC to dig

checking for required dirname ... /usr/bin/dirname

checking for required awk ... /usr/bin/awk

checking for required tr ... /usr/bin/tr

checking for required date ... /usr/bin/date

checking for required grep ... /usr/bin/grep

checking for required sed ... /usr/bin/sed

checking for required sort ... /usr/bin/sort

checking for required mktemp ... /usr/bin/mktemp

Checking for releases at https://api.github.com/repos/srvrco/getssl/releases/latest

{"url":"https://api.github.com/repos/srvrco/getssl/releases/51143195","assets_url":"https://api.github.com/repos/srvrco/getssl/releases/51143195/assets","upload_url":"https://uploads.github.com/repos/srvrco/getssl/releases/51143195/assets{?name,label}","html_url":"https://github.com/srvrco/getssl/releases/tag/v2.45","id":51143195,"author":{"login":"timkimber","id":15785928,"node_id":"MDQ6VXNlcjE1Nzg1OTI4","avatar_url":"https://avatars.githubusercontent.com/u/15785928?v=4","gravatar_id":"","url":"https://api.github.com/users/timkimber","html_url":"https://github.com/timkimber","followers_url":"https://api.github.com/users/timkimber/followers","following_url":"https://api.github.com/users/timkimber/following{/other_user}","gists_url":"https://api.github.com/users/timkimber/gists{/gist_id}","starred_url":"https://api.github.com/users/timkimber/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/timkimber/subscriptions","organizations_url":"https://api.github.com/users/timkimber/orgs","repos_url":"https://api.github.com/users/timkimber/repos","events_url":"https://api.github.com/users/timkimber/events{/privacy}","received_events_url":"https://api.github.com/users/timkimber/received_events","type":"User","site_admin":false},"node_id":"RE_kwDOAvJYls4DDGIb","tag_name":"v2.45","target_commitish":"master","name":"Stable Release 2.45","draft":false,"prerelease":false,"created_at":"2021-10-11T13:31:25Z","published_at":"2021-10-11T13:36:26Z","assets":,"tarball_url":"https://api.github.com/repos/srvrco/getssl/tarball/v2.45","zipball_url":"https://api.github.com/repos/srvrco/getssl/zipball/v2.45","body":"2021-10-08 Extract release tag from release api using awk (#717) (fix BSD issues)\r\n2021-10-11 Fix broken upgrade url (#718)(2.45)"}

current code is version 2.45

Most recent version is 2.45

reading config from /mnt/linux/home/pfeiffer/.getssl/getssl.cfg

checking for required dig ... /usr/bin/dig

Making temp directory - /mnt/linux/home/pfeiffer/.getssl/pfeiffer-koberstein-immobilien.de/tmp

reading config from /mnt/linux/home/pfeiffer/.getssl/pfeiffer-koberstein-immobilien.de/getssl.cfg

HAS NSLOOKUP=true

HAS DIG_OR_DRILL=drill

DIG_SUPPORTS_NOIDNOUT=true

HAS HOST=true

Has lftp

Using certificate issuer: https://acme-staging-v02.api.letsencrypt.org

checking config

checked ACCOUNT_KEY_TYPE

checked PRIVATE_KEY_ALG

checking domain pfeiffer-koberstein-immobilien.de

DNS lookup using drill pfeiffer-koberstein-immobilien.de
Error: error sending query: General LDNS error
Error: error sending query: General LDNS error
Error: error sending query: General LDNS error

DNS lookup using host pfeiffer-koberstein-immobilien.de

DNS lookup using nslookup -query AAAA pfeiffer-koberstein-immobilien.de

found IPv4 record for pfeiffer-koberstein-immobilien.de

checking domain www.pfeiffer-koberstein-immobilien.de

DNS lookup using drill www.pfeiffer-koberstein-immobilien.de
Error: error sending query: General LDNS error
Error: error sending query: General LDNS error
Error: error sending query: General LDNS error

DNS lookup using host www.pfeiffer-koberstein-immobilien.de

DNS lookup using nslookup -query AAAA www.pfeiffer-koberstein-immobilien.de

found IPv4 record for www.pfeiffer-koberstein-immobilien.de

pfeiffer-koberstein-immobilien.de: check_config completed - all OK

ca_all_loc from https://acme-staging-v02.api.letsencrypt.org gives

Boulder: The Let's Encrypt CA

  <div class="col-xs-6 text-left">
    <h1>Boulder<br>
    <small>The Let's Encrypt CA</small></h1>
  </div>
</div>

<div class="row">
  <div class="col-xs-8 col-xs-offset-2 text-center">
    <h3>This is an <a href="https://github.com/letsencrypt/acme-spec/">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</h3>
    <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/"><tt>https://letsencrypt.org/</tt></a> for help.</p>
    <p>If you're trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-staging-v02.api.letsencrypt.org/directory"><tt>https://acme-staging-v02.api.letsencrypt.org/directory</a></tt>.</p>
  </div>
</div>
<div class="row">
  <div class="col-xs-4 col-xs-offset-2 text-center">
    <p><a href="https://letsencrypt.status.io" title="Twitter">
      <i class="fa fa-area-chart"></i>
      Service Status (letsencrypt.status.io)
    </a></p>
  </div>
  <div class="col-xs-4 text-center">
    <p><a href="https://twitter.com/letsencrypt" title="Twitter">
      <i class="fa fa-twitter"></i>
      Check with us on Twitter
    </a></p>
  </div>
</div> <!-- row -->

ca_all_loc from https://acme-staging-v02.api.letsencrypt.org/directory gives {
"kFk0pGdmtic": "Adding random entries to the directory",
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "Staging Environment - Let's Encrypt"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/get/draft-aaron-ari/renewalInfo/",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}

Using API v2

getting certificate for pfeiffer-koberstein-immobilien.de from remote server (pfeiffer-koberstein-immobilien.de)

certificate on server is same as the local cert

created SAN list = subjectAltName=DNS:pfeiffer-koberstein-immobilien.de,DNS:www.pfeiffer-koberstein-immobilien.de

certificate /mnt/linux/home/pfeiffer/.getssl/pfeiffer-koberstein-immobilien.de/pfeiffer-koberstein-immobilien.de.crt exists

local cert is valid until Mar 8 15:54:55 2022 GMT

local cert is for domains: pfeiffer-koberstein-immobilien.de,www.pfeiffer-koberstein-immobilien.de
pfeiffer-koberstein-immobilien.de: certificate is valid for more than 30 days (until Mar 8 15:54:55 2022 GMT)

is the same as before

Hi rg305,

yes, the DNS is running,

This may be part of that problem:

1 Like

yes, this is possible, from ubuntu 16.04/ php 7, the sql-query syntax changes from mysql to mysqli (improved), for php7 there's an mapping extension for theses old queries

Hi @iksmax

getssl successfully updated your certificate - as drill failed with the LDNS error, it used nslookup instead.

I'll reproduce and fix so that the error isn't shown unless there are no working dns utilities available.

I recently added Ubuntu 14 LTS to the automated tests as there are several getssl users still using that version.

1 Like

Hi @timkimber,

thanks for your help, the certificate were updated successsfully,
I saw in the getssl script, there are serveral alternatives for DNS-Checking,

on https://tools.ietf.org/wg/acme, I tried to open the following link, but it doesn´t work, https://www.fenron.net/~fenner/ietf/deps/viz/acme.pdf. Is this file protected?

1 Like

It looks like the domain fenron.net no longer exists. I checked the Internet Archive, and it doesn't have a copy of the file.

I've never looked at the working group page before, so I don't know what the visualisation would have shown.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.