No valid IP addresses found for my domain but it can be pinged

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
cdn.233.momobako.com
I ran this command:
docker run -it --rm --name certbot -v $PWD:/etc/letsencrypt certbot/certbot certonly -d cdn.233.momobako.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cdn.233.momobako.com
Waiting for verification...
Challenge failed for domain cdn.233.momobako.com
http-01 challenge for cdn.233.momobako.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: cdn.233.momobako.com
   Type:   dns
   Detail: No valid IP addresses found for cdn.233.momobako.com

My web server is (include version):
temporary webserver by certbot
The operating system my web server runs on is (include version):
ubuntu 20
My hosting provider, if applicable, is:
aliyun
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
docker certbot/certbot


the domain I'm trying to get cert can be resolved by ping, and by https://check-your-website.server-daten.de/?q=cdn.233.momobako.com
but I got this error

1 Like

Do you still get this error if you try again?

1 Like

Yes, actually I had tried both http way and dns way over 5 times from yesterday, neither worked. The manual dns way got similar result:

Waiting for verification...
Challenge failed for domain cdn.233.momobako.com
dns-01 challenge for cdn.233.momobako.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: cdn.233.momobako.com
   Type:   dns
   Detail: DNS problem: SERVFAIL looking up TXT for
   _acme-challenge.cdn.233.momobako.com - the domain's nameservers may
   be malfunctioning

1 Like

Nada from my end or Let's Debug.

1 Like

This web page isn't online yet, and the temp server set up by certbot is closed, and the _acme-challenge dns record I manually added is deleted by me, but I'm sure both my PC and some dns lookup services online can read that record before. The problem is the domain cant be resolved be letsencrypt.

1 Like

This has been happening a lot lately. Dig works yet SERVFAIL.

1 Like

So it looks like there is a DNSSEC problem with the referral from momobako.com to 233.momobako.com, but it's a bit over my head.

I have been able to intermittently reproduce it on the tools mentioned above:

Edit: removed unhelpful speculation :slight_smile:

3 Likes

yeah, 233.momobako.com is a sub-domain my friend gave me. The sub-domain is a feature of aliyun, It may have some special issues...

I think this might have something to do with Aliyun, as you suggest.

Unbound (Let's Encrypt's DNS resolver) might be tripping up on the fact that both sets of nameservers appear to be authoritative for momobako.com, but only one set signs responses for it:

$ dig +norecurse +dnssec +noall +answer @vip3.alidns.com momobako.com soa
momobako.com.           600     IN      SOA     vip1.alidns.com. hostmaster.hichina.com. 2019040814 3600 1200 86400 360
momobako.com.           600     IN      RRSIG   SOA 13 2 600 20201016085052 20201014065052 56113 momobako.com. L67OV5Yp14D58SDv5ip/kVZuP/7djAmDQCKo13A1J09/CWQuwZowTjLC AAmFnDmsq7lonCyegJqw8MFDaDlbvQ==

vs

$ dig +norecurse +dnssec +noall +answer @ns1.alidns.com momobako.com soa
momobako.com.           600     IN      SOA     dns27.hichina.com. hostmaster.hichina.com. 2019040814 3600 1200 86400 360

It might explain why it's an intermittent failure, because it depends on how the resolver is caching the delegations. And also why disvnz.net doesn't seem to mind - different validation behavior.

Since this isn't your domain, I don't think there's anything you can do about it. Your friend could fix the nameserver setup or disable DNSSEC on the domain entirely to make it work ...

2 Likes

Thank you! I'll try to contact aliyun then.

1 Like

It seems that aliyun performed some magic and this issue is gone :grin:

The issue appears to remain.
You may have just gotten lucky and unbound hit the one DNS that works.
[50/50 chance]

Step #1: Have your friend update the glue records for the DNS servers of his domain.
See: https://dnsviz.net/d/cdn.233.momobako.com/dnssec/