Renewal issue - query timed out looking up A record

erangalp · August 8, 2021, 10:16pm

We're encountering a timeout error from the certbot client while trying to renew one of our certificates. The domain is active and unchanged since issuing the certificate, all DNS checks show the A record is set correctly has it has been for months.

My domain is: shinobiselfdefense.com

I ran this command: certbot certonly --webroot -w /var/www/html -d shinobiselfdefense.com -d www.shinobiselfdefense.com

It produced this output:
Domain: shinobiselfdefense.com
Type: dns
Detail: DNS problem: query timed out looking up A for
shinobiselfdefense.com

Domain: www.shinobiselfdefense.com
Type: dns
Detail: DNS problem: query timed out looking up A for
www.shinobiselfdefense.com

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

_az · August 8, 2021, 10:33pm

I'm almost certain that the cPanel server, which hosts your DNS zone, is blocking Let's Encrypt's validation servers.

(Your domain's nameservers are ns1.skyfyhost.com/ns2.skyfyhost.com, both of which are actually the judas.uswebhost.com WHM/cPanel server).

You need to ask your DNS host (not Linode, but the owner of judas.uswebhost.com) about this. Alternatively, move your domain to different DNS hosting. Linode has some free DNS hosting you can use.

erangalp · August 8, 2021, 10:42pm

We don't actually own the domain - we provide web hosting through Linode, and the domain owner sets their A record to our IP where we serve their website and set up their certificate. I'll reach out to them with this information - however, is this a new issue? there was no problem issuing the certificate 2 months ago with the same setup.

_az · August 8, 2021, 10:45pm

Sounds like it.

Firewall/blocking issues can be tricky to manage because they can be triggered by automated rules. On WHM/cPanel, there is some software called csf which is notorious for automatically blocking addresses that send too many packets, if configured a certain way. It's plausible that the Let's Encrypt validation servers DNS traffic set it (or something like it) off.

erangalp · August 9, 2021, 1:35am

Got it, thanks for the info - we'll relay this information to the domain owner and see if that's the case.

sadiq · August 18, 2021, 7:54pm

I have a valid certificate for the domain shinobiselfdefense.com on the judas.... server. Is there another way it can be verified to resolve this issue?

sadiq · August 18, 2021, 9:00pm

I have a valid certificate for the domain shinobiselfdefense.com on the judas .... server. Is there another way it can be verified to resolve this issue? CNAME update for example.

_az · August 19, 2021, 7:16am

I don't think so, no.

Apart from getting judas to unblock Let's Encrypt, my prior suggestion is probably the only other way to fix this on a DNS level:

sadiq · August 19, 2021, 12:10pm

Judas is Namehero. We have let's encrypt certificates on mail. shinobiselfdefense.com and other sub domains with no issues. I deleted those certs and got new certs with no issues via let's encrypt. Would this no be via the same DNS you are saying is an issue. Namehero says DNS is not blocked.

sadiq · August 19, 2021, 12:11pm

They further said DNS resolves to linode which is because we have an A record point to the linode ip that website is hosted on.

_az · August 19, 2021, 10:44pm

Are you sure?

The last Let's Encrypt certificate issued for your domain was back in May - 3 months ago.

Since then, all of the certificates for your domain have come from cPanel's certificate authority (Sectigo). You can check here: crt.sh | shinobiselfdefense.com.

I'm pretty sure that they are mistaken.

I've tested it and neither DNS (port 53) or HTTP (port 80) traffic is able to get from Let's Encrypt to judas.

Unfortunately, it doesn't matter.

In order to find out that your domain has an A record pointing to Linode, Let's Encrypt has to first query judas for that information.

Since Let's Encrypt is unable to talk to judas at all, nothing works.

sadiq · August 19, 2021, 11:11pm

Thanks for that detail. I think this will help.

system · September 18, 2021, 11:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.