Renewing or creating certificates are failing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kairosmining.com but I use only subdomains like prueba.kairosmining.com

I ran this command: Using Win-ACME for Windows

It produced this output: Plugin IIS generated source prueba.kairosmining.com with 1 identifiers
Plugin Single created 1 order
Cached order has status invalid, discarding
[prueba.kairosmining.com] Authorizing...
[prueba.kairosmining.com] Authorizing using http-01 validation (SelfHosting)
[prueba.kairosmining.com] Authorization result: invalid
[prueba.kairosmining.com] {"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: DNS problem: server failure at resolver looking up A for prueba.kairosmining.com; DNS problem: server failure at resolver looking up AAAA for prueba.kairosmining.com","status":400,"instance":null}
[prueba.kairosmining.com] Deactivating pending authorization

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2016

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Win-ACME 2.2.8 (latest yet)

I was able to renew all certificates without any problems.

Now we've checked firewall settings and rules and we can't find the problem.

Please help.

Regards.

Hi @ElPancho, and welcome to the LE community forum

It seems that there is some GeoLocation blocking that is preventing some of the secondary validation systems from reaching your authoritative DNS systems.
Who's the DSP?
It looks like it's being self-hosted:

kairosmining.com nameserver = ns.kairosmining.com
kairosmining.com nameserver = ns1.kairosmining.com

GeoLocation blocking DNS requests is not recommended.
GeoLocation blocking HTTP requests is also not recommended.

I see this with Zonemaster
https://zonemaster.net/en/result/23407b405eef356b

image1230×903 28.8 KB

Edit and with https://dnsspy.io/scan/kairosmining.com

image1036×797 20.3 KB

Hi!.

We have Godaddy as DSP that forward to ns and ns1 to our external IPs. Then our DNS (Windows Server) contains the ns and ns1 registries and all other A records.

I don't know if you need some more information to get a sense of what could be happening.

Thanks!

From that screenshot I can see that kairosmining.com is not reachable but I have that on the DNS server

image810×316 21.1 KB

The SOA records are also there.

So I have no clue of what is going on.

Is there a record missing?.

Thanks for your help.

No.
The problem is more firewall related.
Something is blocking the direct DNS requests from LE to your nameservers.

They are not blocking my requests:

Name:      prueba.kairosmining.com
Addresses: 200.111.238.140
           200.75.4.220

I believe you need improved availability and quality of the DNS Servers and be made geo region agonistic agnostic;
and improve quality of the DNSSEC as well.

• 5 Errors prueba.kairosmining.com | DNSViz
• 10 Errors kairosmining.com | DNSViz
• https://dnsspy.io/scan/kairosmining.com
  
  

  image1037×578 18.1 KB

Hi!.

I can't seem to find the blocking rule on our firewall.

Is there a way to check the connectivity to LE servers?

Thanks!

That is great but it doesn't tell you how to improve those scores.

Any ideas on how?

Thanks!

What is failing is the LE servers cannot query your DNS. Can you check your inbound firewall logs to see which ones are getting rejected?

What would be the source of the log?. Since it's an IIS server we have a lots of requests so it would be hard to find without the source.

Thank you for your time

The problem is with access to your DNS Server not your IIS web server.

Let's Encrypt queries your authoritive DNS servers looking for an A and/or AAAA record. These queries are failing from at least one of the secondary LE centers.

Do you have any firewalls or similar settings protecting your DNS Servers? That is the place to look. It looks like you run your own DNS servers.

There seems to be a problem in their DNSSEC setup too but I don't think those are causing the server failure message. See:
https://dnsviz.net/d/prueba.kairosmining.com/dnssec/
And also:
https://ednscomp.isc.org/ednscomp/1968903ff1

That is not the intended focus of this community forum. I suggest community forums for your web server.

That being said, you possible will receive assistance here (but don't hold your breath either).

Hi!.

It was finally a firewall rule that was preventing the renovation.

Thanks all for the help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.