Problem requesting certificate for domain

My domain is: webmail.recomsa.com.pa

I ran this command:

certbot certonly --manual

It produced this output:

Challenge failed for domain webmail.recomsa.com.pa
http-01 challenge for webmail.recomsa.com.pa
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: webmail.recomsa.com.pa
Type: dns
Detail: During secondary validation: DNS problem: query timed out
looking up A for webmail.recomsa.com.pa

My web server is (include version):
apache 2.4

The operating system my web server runs on is (include version):
opensuse 15.1

My hosting provider, if applicable, is:
IONOS

I can login to a root shell on my machine (yes or no, or I don't know):
yes, I have root access

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.14.0

From the error it seems like a DNS resolve issue, but I've checked with several online DNS checkers and all resolve ok to my domain. I also noticed that there is "Planned Maitenance in Progress" with the status checker of your service, is it possible this is related to that?

Thanks

I see some weird delegation errors with DNSViz:

https://dnsviz.net/d/webmail.recomsa.com.pa/dnssec/

  • pa to com.pa: No delegation NS records were detected in the parent zone (pa). This results in an NXDOMAIN response to a DS query (for DNSSEC), even if the parent servers are authoritative for the child.
  • com.pa to recomsa.com.pa: The following NS name(s) were found in the delegation NS RRset (i.e., in the com.pa zone), but not in the authoritative NS RRset: ns1.dopate.com

Which I'm not sure are your problem, but probably aren't helping anything. Are you sure your DNS servers (both ns1.dopate.com and ns2.dopate.com) are configured properly?

No, that's just that ACME v1 is going away, and not related to your issue.

mm ok, I'll check with my DNS provider then, I only have access to my registers through a cPanel interface, but from what you're describing the issue is in a higher DNS level

I checked with the DNS service I have and they inform me the problem reported from DNSViz might be that their network is not in the range of the VPS provider I use. I have a domain name registered in Panama that points to a VPS service from the IONOS hosting provider. Is this a limitation for requesting an SSL certificate from LetsEncrypt? It worked ok back in January 2021.

Thanks

I'm not quite sure what that means. The message from Let's Encrypt is that the DNS servers aren't responding to their queries, and the report from DNSViz is that your DNS delegation isn't consistent (what com.pa says your NS servers are doesn't line up with what the recomsa.com.pa zone says your NS servers are. I don't think any of that is related to your VPS, but to your DNS servers. Are you running your own DNS server on your VPS?

There shouldn't be any such limitations, as long as your nameservers are configured correctly and are returning results to Let's Encrypt when its system queries them.

No, I'm not, the DNS provider in Panama just lets me edit the registers:

and these

Hi @teratux

"secondary validation" is the key.

That means: The primary Letsencrypt servers are able to check your dns.

The secondary are blocked.

Reading your check - some days old - webmail.recomsa.com.pa - Make your website better - DNS, redirects, mixed content, certificates

You have two name servers - 184.154.31.115 and 184.154.31.116, that's bad, both in the same subnet.

So

  • you may have a regional filter that blocks some secondary Letsencrypt validation servers
  • your system may see too much queries, there is something like a bot detection that blocks.
2 Likes

I'm kind of in a limbo here, I managed to successfully request a certificate in January but the request again in April failed. The DNS service in Panama insists it's not their fault, is it possible that LetsEncrypt included the secondary check recently and SSL certificates don't get issue if the DNS and the host provider are not in the same geographical regions?

The only possible issue "geographical regions" might have is if your dns server has some sort of firewall that blocks traffic based on geographical regions, or if your dns server is only routable from certain regions. Let's Encrypt validates that your systems are reachable from several vantage points around the world, and has done so for over a year. If your DNS server can't get traffic from Let's Encrypt's servers then you won't be able to get a Let's Encrypt certificate. (Similarly, if traffic from other CAs can't get to your servers, they won't be able to validate you either, and if users can't get to your DNS servers then your users won't be able to get to you.)

While I don't think it's related to the error you're getting, your AAAA record for webmail.recomsa.com.pa is a link-local fe80:: address, not a globally-routable address, so I don't think an HTTP challenge could work anyway, even if Let's Encrypt could get to your DNS servers.

Hi @petercooperjr

that's not relevant.

Such addresses are ignored.

2 Likes

@JuergenAuer @petercooperjr decided today to give it another go and it worked. Nothing changed with the DNS provider, and nothing on my part on the VPS. Don't really know what happened.

I think your dns provider has tested and changed some firewall rules.

That's a general problem. Most users use dns services, don't run their own (me too), but if the dns provider has some filters, that may be critical, because Letsencrypt doesn't use cached results.

Instead, the autoritative name servers are checked -> some traffic -> block.

2 Likes

Is there any way I can check this publicly to ask them and make sure I have no further issues in the future?

1 Like

No, you can't. But you see the changed result, now you have a certificate.

So it was

  • a temporary Letsencrypt problem (< 1 %), but the problem was "temporary permanent",
  • your dns provider has changed something

You can tell your provider: "No it has worked. Any changes?"

If they are really good, they will tell you the "real problem".

But there are a lot of companies you would never read such an answer: "Our configuration blocked secondary Letsencrypt servers".

2 Likes

ok, thank you for your support :+1:

2 Likes