Renewing or creating certificates are failing

ElPancho · April 24, 2024, 9:24pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kairosmining.com but I use only subdomains like prueba.kairosmining.com

I ran this command: Using Win-ACME for Windows

It produced this output: Plugin IIS generated source prueba.kairosmining.com with 1 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[prueba.kairosmining.com] Authorizing...
[prueba.kairosmining.com] Authorizing using http-01 validation (SelfHosting)
[prueba.kairosmining.com] Authorization result: invalid
[prueba.kairosmining.com] {"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: DNS problem: server failure at resolver looking up A for prueba.kairosmining.com; DNS problem: server failure at resolver looking up AAAA for prueba.kairosmining.com","status":400,"instance":null}
[prueba.kairosmining.com] Deactivating pending authorization

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2016

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Win-ACME 2.2.8 (latest yet)

I was able to renew all certificates without any problems.

Now we've checked firewall settings and rules and we can't find the problem.

Please help.

Regards.

rg305 · April 24, 2024, 9:30pm

Hi @ElPancho, and welcome to the LE community forum

It seems that there is some GeoLocation blocking that is preventing some of the secondary validation systems from reaching your authoritative DNS systems.
Who's the DSP?
It looks like it's being self-hosted:

kairosmining.com nameserver = ns.kairosmining.com
kairosmining.com nameserver = ns1.kairosmining.com

GeoLocation blocking DNS requests is not recommended.
GeoLocation blocking HTTP requests is also not recommended.

Bruce5051 · April 24, 2024, 9:31pm

I see this with Zonemaster
https://zonemaster.net/en/result/23407b405eef356b

Edit and with https://dnsspy.io/scan/kairosmining.com

Pancho · April 25, 2024, 4:32pm

Hi!.

We have Godaddy as DSP that forward to ns and ns1 to our external IPs. Then our DNS (Windows Server) contains the ns and ns1 registries and all other A records.

I don't know if you need some more information to get a sense of what could be happening.

Thanks!

Pancho · April 25, 2024, 4:43pm

From that screenshot I can see that kairosmining.com is not reachable but I have that on the DNS server

The SOA records are also there.

So I have no clue of what is going on.

Is there a record missing?.

Thanks for your help.

rg305 · April 26, 2024, 2:40am

No.
The problem is more firewall related.
Something is blocking the direct DNS requests from LE to your nameservers.

They are not blocking my requests:

Name:      prueba.kairosmining.com
Addresses: 200.111.238.140
           200.75.4.220

Bruce5051 · April 26, 2024, 2:58am

I believe you need improved availability and quality of the DNS Servers and be made geo region ~~agonistic~~ agnostic;
and improve quality of the DNSSEC as well.

5 Errors prueba.kairosmining.com | DNSViz
10 Errors kairosmining.com | DNSViz
https://dnsspy.io/scan/kairosmining.com

image1037×578 18.1 KB

Pancho · May 2, 2024, 1:11pm

Hi!.

I can't seem to find the blocking rule on our firewall.

Is there a way to check the connectivity to LE servers?

Thanks!

Pancho · May 2, 2024, 1:12pm

That is great but it doesn't tell you how to improve those scores.

Any ideas on how?

Thanks!

MikeMcQ · May 2, 2024, 1:24pm

What is failing is the LE servers cannot query your DNS. Can you check your inbound firewall logs to see which ones are getting rejected?

Pancho · May 2, 2024, 2:23pm

What would be the source of the log?. Since it's an IIS server we have a lots of requests so it would be hard to find without the source.

Thank you for your time

MikeMcQ · May 2, 2024, 2:38pm

The problem is with access to your DNS Server not your IIS web server.

Let's Encrypt queries your authoritive DNS servers looking for an A and/or AAAA record. These queries are failing from at least one of the secondary LE centers.

Do you have any firewalls or similar settings protecting your DNS Servers? That is the place to look. It looks like you run your own DNS servers.

There seems to be a problem in their DNSSEC setup too but I don't think those are causing the server failure message. See:
https://dnsviz.net/d/prueba.kairosmining.com/dnssec/
And also:
https://ednscomp.isc.org/ednscomp/1968903ff1

Bruce5051 · May 2, 2024, 4:14pm

That is not the intended focus of this community forum. I suggest community forums for your web server.

That being said, you possible will receive assistance here (but don't hold your breath either).

Pancho · May 2, 2024, 6:17pm

Hi!.

It was finally a firewall rule that was preventing the renovation.

Thanks all for the help!