Problem description
Everything worked previously and I don’t think I made any changes. My DNS configuration has remained the same over the last few months if I remember correctly. When renewing a certificate, it now fails with one of three errors (4/6 times picking the CAA error and always taking a while):
DNS problem: query timed out looking up CAA for www.lgms.nl
No valid IP addresses found for www.lgms.nl
DNS problem: query timed out looking up A for www.lgms.nl
This happened:
- When autorenewing on January 1st (giving the CAA error)
- When autorenewing on Janary 11th (giving the CAA error)
- Today when debugging it (giving various errors when I issue the exact same command).
I tried to debug the issue using various tools linked in various threads:
- When querying my domain manually (using
dig
), it works fine. I tried:dig -4 caa www.lgms.nl @nszero1.axc.nl
dig -6 caa www.lgms.nl @nszero1.axc.nl
dig -4 a www.lgms.nl @nszero1.axc.nl
dig -6 a www.lgms.nl @nszero1.axc.nl
- Same for my other nameserver (
nszero2.axc.nl
) - Using my ISP’s resolver rather than directly asking the authoritative nameserver.
- Checking all domains I’m trying to get a certificate for by using:
echo lgms.nl,lucgommans.nl,www.lgms.nl,www.lucgommans.nl,smtp.lgms.nl,imap.lgms.nl,roundcube.lgms.nl,roundcube.lucgommans.nl | tr , \\n | while read line; do echo -n $line\ ; dig +short caa $line @nszero1.axc.nl; done
, trying the variations ofa
instead ofcaa
and adding-4
or-6
.
- Using unboundtest.com, resolving both A and CAA records works fine (there is no AAAA at the moment).
- Using https://intodns.com/lgms.nl everything is either green (good) or blue (info). It successfully resolves the domain and there are no timeouts.
- Using https://dnssec-analyzer.verisignlabs.com/www.lgms.nl the DNSSEC seems to check out.
- Using https://dnsviz.net/d/www.lgms.nl/dnssec/ the DNSSEC seems to check out aside from some warning between root and the
nl.
zone. - Using https://check-your-website.server-daten.de/?q=lgms.nl everything relevant seems to check out as well, reporting that it sent 1 query and no retries both for the www and non-www variants.
I don’t know where else to look. Everyone can reach my domain, websites that are meant to check every detail also return successfully, it’s only Let’s Encrypt’s servers that seem to be having trouble. I also can’t find any information online about Versio (the owner of my name servers) having trouble with Let’s Encrypt servers, but since everyone else can successfully resolve the domain, the issue does not seem to be with them.
Another issue that people in other threads had was that their server used an internal (or otherwise unroutable) IP address, but that is not the case here either.
Any ideas?
Template answers
My domain is: www.lgms.nl
I ran this command: certbot certonly --agree-tos -n --webroot -w /var/www/html/ --keep --cert-name examplename --email emailgoeshere@example.com -d lgms.nl,lucgommans.nl,www.lgms.nl,www.lucgommans.nl,smtp.lgms.nl,imap.lgms.nl,roundcube.lgms.nl,roundcube.lucgommans.nl
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.lgms.nl
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.lgms.nl (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up CAA for www.lgms.nl
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.lgms.nl
Type: None
Detail: DNS problem: query timed out looking up CAA for www.lgms.nl
Web server, OS, etc. is not relevant I think, since it’s a DNS error.
My hosting provider, if applicable, is: Versio.nl
The version of my client is: certbot 0.31.0