My zone does not resolve

Please fill out the fields below so we can help you better.

My domain is: estada.ch

I ran this command: certbot certonly --webroot -w /srv/letsencrypt_confirmation -d estada.ch -d www.estada.ch

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for estada.ch
http-01 challenge for www.estada.ch
Using the webroot path /srv/letsencrypt_confirmation for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. estada.ch (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up A for estada.ch, www.estada.ch (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up A for www.estada.ch

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: estada.ch
   Type:   connection
   Detail: DNS problem: query timed out looking up A for estada.ch

   Domain: www.estada.ch
   Type:   connection
   Detail: DNS problem: query timed out looking up A for www.estada.ch

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):
Package: nginx
Version: 1.6.2-5+deb8u4
installed with apt

The operating system my web server runs on is (include version):
Debian 8 with all patches

My hosting provider, if applicable, is:
ip-projects.de

I can login to a root shell on my machine (yes or no, or I don’t know):
yes and a month ago I was able to request a certificate for https://data.estada.ch

I suspect your verification service relies on googles public DNS resolver since they refuse to resolve to my zone and the error states the same.
If not, can you flush your DNS cache? Or do you have any hints?

Regards,
dns2utf8

Let’s Encrypt does not use Google Public DNS, but their resolvers do validate DNSSEC the same as Google Public DNS.

And your domain has DNSSEC issues:
http://dnsviz.net/d/estada.ch/dnssec/

To fix it, obtain the correct DS record from your DNS provider and update it with your domain name registrar. (Alternatively, you could remove the DS record on file with your registrar, but since your DNS provider does support DNSSEC it is better to just fix it.)

On top of that, DNSViz reports other warnings and errors, that some of the IP addresses seem to be down, and that the glue and authoritative records for ns1.estada.ch are not consistent.

While the DNSSEC thing was a critical issue, other problems won’t help reliability.

Thank you for the hints. I have been asking my registrar for a week now to update the glue records.

About the DS record, I extract it from knot with this command:

dig @localhost dnskey estada.ch +dnssec | grep 257

As far as I understand, this will return the KSK fingerprint. Correct?

I’m no DNSSEC expert but I don’t think that works. (I checked a domain I administer that has working DNSSEC and just renewed an LE certificate earlier this week and they do not match.)

According to the documentation for the knot DNS server, you would obtain the correct DS record with the following command:

keymgr zone key ds estada.ch +active

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.