Renewal fails, A Record lookup error

Setup:

ArchLinux

  • nginx 1.18.0

  • certbot-nginx 1.3.0

  • certbot 1.3.0

  • Hoster: netcup

  • Root access: yes

  • Webadmin panel or something: no

  • Nameservers serving multiple domains

  • All nameservers configured the same

  • All domains configured basically the same

  • All domains and their subdomains point to the same server.

  • All domains have DNSSEC configured, but insecure as I just noticed. DNSSEC keys are 2048 bit (4096 seemed like a problem according to Query timeout with DNSSEC enabled)

  • Nameservers have both IPv4 and IPv6 adresses.

  • No Firewalls of any type in front of either the webserver nor the nameservers

Some of the domains and subdomains fail renewal. For simplicity (since I think it’s the same root cause for all of them), let’s just consider the following:

lynxcore.org (works, according to https://letsdebug.net/lynxcore.org/133747)
angeliquelang.com (fails with DNS problem: query timed out looking up A for angeliquelang.com, according to )

Same error with certbot renew.

From anywhere else I checked, the DNS records seem fine and the Nameservers can be accessed.

This has been going on since Sunday, May 03 12:17 AM german time.

I’m a bit stumped, to be honest. Any ideas on how I can debug this further? Or maybe there’s something wrong on the LE end?

Certbot call:

certbot renew --agree-tos --cert-name angeliquelang.com                    [ 19:11 ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log                            

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/angeliquelang.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for angeliquelang.com
2020/05/06 19:11:47 [notice] 390254#390254: signal process started
Waiting for verification...
Challenge failed for domain angeliquelang.com
http-01 challenge for angeliquelang.com
Cleaning up challenges
2020/05/06 19:12:23 [notice] 390304#390304: signal process started
Attempting to renew cert (angeliquelang.com) from /etc/letsencrypt/renewal/angeliquelang.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/angeliquelang.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/angeliquelang.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: angeliquelang.com
   Type:   dns
   Detail: DNS problem: query timed out looking up A for
   angeliquelang.com

Hi @lynxcore

there is a check of your domain - https://check-your-website.server-daten.de/?q=angeliquelang.com

Used these ip addresses to test your name servers manual. A-records worked.

But then:

D:\temp>nslookup -type=AAAA angeliquelang.com. 37.221.193.109
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 37.221.193.109

Name: angeliquelang.com
Address: 2a03:4000:8:4c9::1

Doing it again it worked. Looks like there are some temporary problems with your configuration. Normally using raw ip addresses shouldn’t have a timeout.

Name servers = your webserver. Are there enough ressources?

Whenever I tried lookups, I got instant responses. Tried using watch -n 0.1 dig angeliquelang.com.

Resources should be enough (8 cores, 64GB ram, utilization on average ~10% CPU and ~8GB RAM.

HOWEVER, while pondering what the hell is going on I noticed abysmally poor I/O performance, and subsequently noticed that my hoster wants me to optimize storage, which I’m now doing. Will report back once that’s finished. Untli that’s through the server is offline, so if anyone tries debugging between now and my next post, you’ll get no results.

So, my changes yesterday did noting, however today everything works again. So whatever it was - intermediate problem with my hosters network, problem on LEs end, something weird with the server, I don’t know, but the problem went away, so this can be closed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.