Problem with renovations (DNS?)

Hello, I'm having problems with my renovations.

When I follow the problem report I see this:

https://acme-v02.api.letsencrypt.org/acme/chall-v3/8144997602/4faz3Q

"detail": "DNS problem: SERVFAIL looking up A for un3.dna.uba.ar - the domain's nameservers may be malfunctioning",

If I lookup the domain in the let's debug tool, I see another problem;

DNSLookupFailed

FATAL
A fatal issue occurred during the DNS lookup process for un3.dna.uba.ar/CAA.
DNS response for un3.dna.uba.ar/CAA did not have an acceptable response code: SERVFAIL

But when I lookup my domains they seem to work fine:

id 40522 opcode QUERY rcode NOERROR flags QR RD RA
;QUESTION
un3.dna.uba.ar. IN A
;ANSWER
un3.dna.uba.ar. 21599 IN A 168.96.248.12
;AUTHORITY
;ADDITIONAL

What am I missing? This worked fine for more than a year. It automatically renews so I'm not even sure when it started to fail.

Please help :slight_smile:

Thanks

J

I included the standard report bellow:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: afrodita.dna.uba.ar / cloud.dna.uba.ar

I ran this command:

This is OpenBSD

acme-client -vv afrodita.dna.uba.ar

It produced this output:

afrodita:/root{21}# acme-client -vv afrodita.dna.uba.ar
acme-client: acme-client: acme-client: /etc/acme/letsencrypt-privkey.pem: loaded account key
/etc/ssl/private/afrodita.dna.uba.ar.key: loaded domain key/etc/ssl/afrodita.dna.uba.ar.fullchain.pem: certificate renewable: 9 days left

acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: transfer buffer: [{ "1rrC13s-3KA": "Adding random entries to the directory", "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order", "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert" }] (658 bytes)
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "key": { "kty": "RSA", "n": "21oQK1EsYW9RG0ATgTL9LgOHYdf3ouHLPtNsCydkxAsE6EgKwM7lKrzBMh4nuf_HlwnvpgY2DJ_yHU0mmXW3OuR9JU7paqXd7MV_jbQt_M8zruA0gtXcGoydBOeC8UpqoWuEIg2PytK-CAluLrAvFGc941j1Rcr0BKlWlqbc4MyxjZ3tIs3eZ5JwHL2W0iBg6G2AL8AZSD5YpoE4EjnpSwXeJtS9tR0Z6__IraeBt20s5MmH8a_3UqGvhLjCBvxmt-uOpDBECOLm3oZzuZjp8E6YUtTfP2K5xzigOh-nPtCO4euymYro3VJaskxP9ics-lEV9UEhOOAWiCqsQ4pjWzrozpiIrM2w0XDwPcoymU4Wsry75yFU5PPpl2oEYsXzs1ZrEwqxc7_Fy9JdON-2mOnlyyeg0DB87tY4K-e-JjukgANMdap14IQPKCK6Oh3ueBGSZo3lkwIYAxmuHBAx-bjx0g7JI_SmZ83Db8ewWiuiLC0WCWpcIBuxd1A5J0l6mNHbRmIFKrxzS0om5C_cQ0pISBAgqh2GwwdNNEChLf3O49Bq3yjdRldeRJfbjqIrDnrvIQ5pUjazLvasuFtxRNxx7kXmwGnEhfnluT0ovZCoiuTTjBVOQsQDMls8yMMkmZkpmM7a7CbmCFKVCapnsb7kEcSnk7F6QQprN85Crt8", "e": "AQAB" }, "contact": , "initialIp": "168.96.248.12", "createdAt": "2017-05-25T00:10:02Z", "status": "valid" }] (857 bytes)
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "status": "pending", "expires": "2020-11-02T02:53:31.79906508Z", "identifiers": [ { "type": "dns", "value": "afrodita.dna.uba.ar" }, { "type": "dns", "value": "un3.dna.uba.ar" } ], "authorizations": [ "https://acme-v02.api.letsencrypt.org/acme/authz-v3/8145018029", "https://acme-v02.api.letsencrypt.org/acme/authz-v3/8145018035" ], "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/15506422/5875288778" }] (483 bytes)
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8145018029
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "afrodita.dna.uba.ar" }, "status": "pending", "expires": "2020-11-02T02:53:31Z", "challenges": [ { "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8145018029/zmCPrQ", "token": "ZqlJzId6cRP5TRe94VqOm4qrKMD7BIlKq6GRpU4s5lg" }, { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8145018029/Ww4OzA", "token": "ZqlJzId6cRP5TRe94VqOm4qrKMD7BIlKq6GRpU4s5lg" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8145018029/ukPhtA", "token": "ZqlJzId6cRP5TRe94VqOm4qrKMD7BIlKq6GRpU4s5lg" } ] }] (797 bytes)
acme-client: challenge, token: ZqlJzId6cRP5TRe94VqOm4qrKMD7BIlKq6GRpU4s5lg, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/8145018029/zmCPrQ, status: 0
acme-client: /var/www/acme/ZqlJzId6cRP5TRe94VqOm4qrKMD7BIlKq6GRpU4s5lg: created
acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/8145018029/zmCPrQ: challenge
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8145018029/zmCPrQ", "token": "ZqlJzId6cRP5TRe94VqOm4qrKMD7BIlKq6GRpU4s5lg" }] (185 bytes)
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8145018035
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": "un3.dna.uba.ar" }, "status": "pending", "expires": "2020-11-02T02:53:31Z", "challenges": [ { "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8145018035/PN07ew", "token": "QdRYHz6IfJ_xjgdZ0U9HqtXq2R5abIxeYnvkhVUjPxA" }, { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8145018035/gUbV9w", "token": "QdRYHz6IfJ_xjgdZ0U9HqtXq2R5abIxeYnvkhVUjPxA" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8145018035/52PhxA", "token": "QdRYHz6IfJ_xjgdZ0U9HqtXq2R5abIxeYnvkhVUjPxA" } ] }] (792 bytes)
acme-client: challenge, token: QdRYHz6IfJ_xjgdZ0U9HqtXq2R5abIxeYnvkhVUjPxA, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/8145018035/PN07ew, status: 0
acme-client: /var/www/acme/QdRYHz6IfJ_xjgdZ0U9HqtXq2R5abIxeYnvkhVUjPxA: created
acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/8145018035/PN07ew: challenge
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
34.211.6.84 - - [25/Oct/2020:23:53:37 -0300] "GET /.well-known/acme-challenge/ZqlJzId6cRP5TRe94VqOm4qrKMD7BIlKq6GRpU4s5lg HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8145018035/PN07ew", "token": "QdRYHz6IfJ_xjgdZ0U9HqtXq2R5abIxeYnvkhVUjPxA" }] (185 bytes)
acme-client: acme-v02.api.letsencrypt.org: cached
acme-client: acme-v02.api.letsencrypt.org: cached
3.128.26.105 - - [25/Oct/2020:23:53:39 -0300] "GET /.well-known/acme-challenge/QdRYHz6IfJ_xjgdZ0U9HqtXq2R5abIxeYnvkhVUjPxA HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: transfer buffer: [{ "status": "invalid", "expires": "2020-11-02T02:53:31Z", "identifiers": [ { "type": "dns", "value": "afrodita.dna.uba.ar" }, { "type": "dns", "value": "un3.dna.uba.ar" } ], "authorizations": [ "https://acme-v02.api.letsencrypt.org/acme/authz-v3/8145018029", "https://acme-v02.api.letsencrypt.org/acme/authz-v3/8145018035" ], "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/15506422/5875288778" }] (474 bytes)
acme-client: order.status -1
acme-client: bad exit: netproc(33373): 1

My web server is (include version):
apache 2.4.39

The operating system my web server runs on is (include version):

OpenBSD

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

OpenBSDs' 6.8 acme-client

2 Likes

Looks like there's a couple of issues with the nameserver setup.

For example:

  • ns3.uba.ar only exists as a glue record, but not on the nameservers authoritative for uba.ar.
  • proteus.dna.uba.ar doesn't respond to DNS queries, but is listed as an authoritative nameserver for dna.uba.ar.
  • 190.216.2.134.uba.ar doesn't resolve, but is listed as an authoritative nameserver for dna.uba.ar.

Any of these, or a combination of them, may be tripping up the Let's Encrypt resolver.

5 Likes

Here is that same information but a bit more graphical:

READERS: Get involved. Be heard. Do your part, it starts with: If you read something you like; then like it :heart: !

3 Likes