Misleading Error? "DNS problem NXDOMAIN looking up A"

raphaellueckl · August 4, 2021, 6:20am

Sure, there you go!

curl -v https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v01.api.letsencrypt.org
*  start date: Aug  1 18:18:35 2021 GMT
*  expire date: Oct 30 18:18:33 2021 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55fd5bb3cd40)
> GET /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.68.0
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: nginx
< date: Wed, 04 Aug 2021 06:19:18 GMT
< content-type: application/json
< content-length: 658
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
< 
{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "t793_xNbqf0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

curl -4 ifconfig.co
80.89.217.226

raphaellueckl · August 4, 2021, 6:25am

At this point I want to say thanks to everyone involved here! I'm absolutely blasted by how helping each one of you is! Never expected that I would receive so many helpful comments! Thank you very much.

rg305 · August 4, 2021, 1:27pm

Well, your at the right IP and the system can reach LE.
The problem must be happening when LE tries to reach your system.

Not sure if this is expected or not (I don't use Caddy but it doesn't look right to me):

curl -Iki http://ripped.link/.well-known/acme-challenge/Test-File-1234
curl: (56) Recv failure: Connection reset by peer

curl -Iki https://ripped.link/.well-known/acme-challenge/Test-File-1234
curl: (7) Failed to connect to ripped.link port 443: Connection refused

raphaellueckl · August 6, 2021, 5:14am

The bad-gateway error is gone and I have no idea why, I basically killed the programs listening on port 80 and 443 because it started complaining about 443.

Now it complains that I'm not authorized. This should be an easy one, no? But. I didn't find anything in the caddy docs or in this community related to how to get there, would you have any ideas? I warns me that I didn't provide my email, but it looks optional and just providing that probably won't solve an authentication error anyways.

2021/08/06 05:06:33.512 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "ripped.link", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2021/08/06 05:06:34.960 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "ripped.link", "challenge_type": "http-01", "status_code": 403, "problem_type": "urn:ietf:params:acme:error:unauthorized", "error": "Invalid response from https://ripped.link/.well-known/acme-challenge/NL4Yw3d-6W09RJK0FZzbDlYyfhkGCRKCc2X45UUWkzE [80.89.217.226]: \"<html>\\n    <head>\\n        <title>Welcome to your SWAG instance</title>\\n        <style>\\n        body{\\n            font-family: He\""}
2021/08/06 05:06:34.960 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "ripped.link", "error": "authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Invalid response from https://ripped.link/.well-known/acme-challenge/NL4Yw3d-6W09RJK0FZzbDlYyfhkGCRKCc2X45UUWkzE [80.89.217.226]: \"<html>\\n    <head>\\n        <title>Welcome to your SWAG instance</title>\\n        <style>\\n        body{\\n            font-family: He\"", "order": "https://acme-v02.api.letsencrypt.org/acme/order/130671497/14867960250", "attempt": 1, "max_attempts": 3}
2021/08/06 05:06:36.415 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "ripped.link", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2021/08/06 05:06:37.460 ERROR   tls.issuance.acme.acme_client   challenge failed        {"identifier": "ripped.link", "challenge_type": "tls-alpn-01", "status_code": 403, "problem_type": "urn:ietf:params:acme:error:unauthorized", "error": "Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
2021/08/06 05:06:37.460 ERROR   tls.issuance.acme.acme_client   validating authorization        {"identifier": "ripped.link", "error": "authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge", "order": "https://acme-v02.api.letsencrypt.org/acme/order/130671497/14867967370", "attempt": 2, "max_attempts": 3}
2021/08/06 05:06:39.141 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "ripped.link", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[ripped.link] solving challenges: ripped.link: no solvers available for remaining challenges (configured=[tls-alpn-01 http-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[dns-01]) (order=https://acme-v02.api.letsencrypt.org/acme/order/130671497/14867972870) (ca=https://acme-v02.api.letsencrypt.org/directory)"}

I don't know why it gets an "Invalid Response". I guess SWAG is coming from caddy itself. I will ask them how to fix that.

Osiris · August 6, 2021, 5:47am

Indeed, I'm guessing the Caddy Community can help you better with this specific Caddy problem than we can.

raphaellueckl · August 9, 2021, 6:31am

It works now. My initial problem was, that I wasn't verified with my data at AWS (weird, because I own other domains and those worked for the same computer).

The rest of the problem was my home computer being misconfigured (SWAG instance was some service that was started by something else, didn't had this problem on another machine). Thanks to everyone involved!

raphaellueckl · August 9, 2021, 6:32am

The first sentence in this answer was the solution for this problem. Everything afterwards was basically noise for this thread.

system · September 8, 2021, 6:33am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.