Renewal suddenly fails with varying DNS errors which I cannot reproduce with unboundtest.com

Problem description

Everything worked previously and I don’t think I made any changes. My DNS configuration has remained the same over the last few months if I remember correctly. When renewing a certificate, it now fails with one of three errors (4/6 times picking the CAA error and always taking a while):

  • DNS problem: query timed out looking up CAA for www.lgms.nl
  • No valid IP addresses found for www.lgms.nl
  • DNS problem: query timed out looking up A for www.lgms.nl

This happened:

  • When autorenewing on January 1st (giving the CAA error)
  • When autorenewing on Janary 11th (giving the CAA error)
  • Today when debugging it (giving various errors when I issue the exact same command).

I tried to debug the issue using various tools linked in various threads:

  • When querying my domain manually (using dig), it works fine. I tried:
    • dig -4 caa www.lgms.nl @nszero1.axc.nl
    • dig -6 caa www.lgms.nl @nszero1.axc.nl
    • dig -4 a www.lgms.nl @nszero1.axc.nl
    • dig -6 a www.lgms.nl @nszero1.axc.nl
    • Same for my other nameserver (nszero2.axc.nl)
    • Using my ISP’s resolver rather than directly asking the authoritative nameserver.
    • Checking all domains I’m trying to get a certificate for by using: echo lgms.nl,lucgommans.nl,www.lgms.nl,www.lucgommans.nl,smtp.lgms.nl,imap.lgms.nl,roundcube.lgms.nl,roundcube.lucgommans.nl | tr , \\n | while read line; do echo -n $line\ ; dig +short caa $line @nszero1.axc.nl; done, trying the variations of a instead of caa and adding -4 or -6.
  • Using unboundtest.com, resolving both A and CAA records works fine (there is no AAAA at the moment).
  • Using https://intodns.com/lgms.nl everything is either green (good) or blue (info). It successfully resolves the domain and there are no timeouts.
  • Using https://dnssec-analyzer.verisignlabs.com/www.lgms.nl the DNSSEC seems to check out.
  • Using https://dnsviz.net/d/www.lgms.nl/dnssec/ the DNSSEC seems to check out aside from some warning between root and the nl. zone.
  • Using https://check-your-website.server-daten.de/?q=lgms.nl everything relevant seems to check out as well, reporting that it sent 1 query and no retries both for the www and non-www variants.

I don’t know where else to look. Everyone can reach my domain, websites that are meant to check every detail also return successfully, it’s only Let’s Encrypt’s servers that seem to be having trouble. I also can’t find any information online about Versio (the owner of my name servers) having trouble with Let’s Encrypt servers, but since everyone else can successfully resolve the domain, the issue does not seem to be with them.

Another issue that people in other threads had was that their server used an internal (or otherwise unroutable) IP address, but that is not the case here either.

Any ideas?

Template answers

My domain is: www.lgms.nl

I ran this command: certbot certonly --agree-tos -n --webroot -w /var/www/html/ --keep --cert-name examplename --email emailgoeshere@example.com -d lgms.nl,lucgommans.nl,www.lgms.nl,www.lucgommans.nl,smtp.lgms.nl,imap.lgms.nl,roundcube.lgms.nl,roundcube.lucgommans.nl

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.lgms.nl
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.lgms.nl (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up CAA for www.lgms.nl

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.lgms.nl
   Type:   None
   Detail: DNS problem: query timed out looking up CAA for www.lgms.nl

Web server, OS, etc. is not relevant I think, since it’s a DNS error.

My hosting provider, if applicable, is: Versio.nl

The version of my client is: certbot 0.31.0

1 Like

Hi @Luc

there is a problem reported:

2020-01-20.lgms.nl

But the result is curious, because there is a NSEC that says: "No A record exists".

Looks like sometimes informations are wrong / incomplete.

2 Likes

Aaah dang, I saw that one but dismissed it because it says expiration in the future and other sites says it’s all fine. I should read better.

Since I don’t do the DNSSEC myself, it would be Versio that should update/fix their RRSIG records, correct?

It’s also odd that unboundtest.com (which I read was made to debug LE issues) says

Jan 20 18:20:58 unbound[7913:0] info: validate(positive): sec_status_secure
Jan 20 18:20:58 unbound[7913:0] info: validation success www.lgms.nl. A IN

Regardless, I guess I’ll try changing the value to some dummy value (breaking the site for a bit) and then changing it back to see if that creates a new signature record, and otherwise try Versio support. Thanks for having a look!

1 Like

Changing the value and back did not work, but (instead of relying on a wildcard) adding the www. domain explicitly seems to have resolved the issue, at least for now so that I could renew the certificate.

I’ve still got an open query at Versio how this could happen, and I’m curious if the issue will return upon next renewal because I removed the www. domain again. But that’s all outside of LE. The only takeaway might be to wonder why unboundtest.com doesn’t report it which is supposed to help people validate this sort of thing.

Anyway, thanks again!

1 Like

Yes, that's curious.

Checked again offline, the same result. The validation of the signature fails.

PS: Checked https://dnsviz.net/d/www.lgms.nl/dnssec/ - my tool is incomplete. The wildcard = combination of ip address and a NSEC isn't complete.

PPS: Now I've updated my tool. The error is gone.

2020-01-20.lgms.nl.2

Looks a little bit curious, a validated A record and a RRSIG with the not-existence of the A RR

-->> must be a wildcard A record.

May be later I should add an additional row with an explantation.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.