Repeated DNS error: During secondary validation: DNS problem: networking error looking up A

Hi,

during re-verification of a domain I get this error repeatedly for some days:

[Di 29. Sep 00:00:05 CEST 2020] Getting webroot for domain='mydomain.com'
[Di 29. Sep 00:00:05 CEST 2020] Getting token for domain='mydomain.com'
[Di 29. Sep 00:00:11 CEST 2020] Getting webroot for domain='www.mydomain.com'
[Di 29. Sep 00:00:11 CEST 2020] Getting token for domain='www.mydomain.com'
[Di 29. Sep 00:00:21 CEST 2020] Verifying:mydomain.com
[Di 29. Sep 00:00:33 CEST 2020] Pending
[Di 29. Sep 00:00:39 CEST 2020] Pending
[Di 29. Sep 00:00:45 CEST 2020] Pending
[Di 29. Sep 00:00:50 CEST 2020] Pending
[Di 29. Sep 00:00:56 CEST 2020] Pending
[Di 29. Sep 00:01:02 CEST 2020] Pending
[Di 29. Sep 00:01:07 CEST 2020] Pending
[Di 29. Sep 00:01:13 CEST 2020] mydomain.com:Verify error:During secondary validation: DNS problem: networking error looking up A for mydomain.com

When checking the DNS-A-records with an external tool or one of the online-services, everything works well and the domain can be resolved without any problems.

I have had similar problems with an other domain on the same server previously, but this issue is gone after a few tries. Now with this domain it seems to be permanent.

My hosting provider, if applicable, is: Hetzner

So as this looks like a problem that appears on LetsEncrypt-side: any idea what is wrong here and how can one fix that?

Thanks!

2 Likes

Welcome to the Let's Encrypt Community, Elmi :slightly_smiling_face:

This has been a very common issue lately. I believe it is based on the secondary validation servers being overwhelmed at midnight. Please try changing the time the process runs to a somewhat random time several hours and minutes earlier or later.

@lestaff

One of many secondary validation server errors recently.

3 Likes

We’re working to fix this soon. As @griffin mentioned, renewing at any other time should work well.

@Elmi77 Could you please let us know what OS you’re running, and how your ACME client was installed? I’d like to reach out to the developer/integrator and make sure that they randomize the time for future users, so that our traffic at the top of the hour isn’t so much higher than other times.

Thanks!

5 Likes

That's acme.sh. It installs a cron entry for a random minute between 00:00 and 00:59.

Not entirely random, it's UNIX time modulo 60. But it's different enough across my servers.

1 Like

Thanks for the fast feedback. The operating system is Ubuntu Linux 16.04 / x64 and I'm running https://github.com/Neilpang/acme.sh
v2.2.6

I'll try to do the update at a later time!

1 Like

Thanks for looking into this. I see the error for eissing.org hourly reported from my apache/mod_md setup. In case this helps, the response is always like:

Exact response was: {"identifier":{"type":"dns","value":"www.eissing.org"},"status":"invalid","expires":"2020-10-11T22:00:18Z",
"challenges":[{"type":"http-01","status":"invalid",
"error":{"type":"urn:ietf:params:acme:error:dns",
  "detail":"During secondary validation: No valid IP addresses found for www.eissing.org","status":400},
  "url":"https://acme-v02.api.letsencrypt.org/acme/chall-BLA/-BLUBB",
  "token":"GIBBERISH",
  "validationRecord":[
    {"url":"http://www.eissing.org/.well-known/acme-challenge/XXX",
     "hostname":"www.eissing.org","port":"80",
    "addressesResolved":["217.91.35.233"],"addressUsed":"217.91.35.233"
}]}]}

In case I can help with more details or test from my end by wiggling things a bit, just let me know.

1 Like

Is that happening every hour, or is your renewal also running near 00:00 in UTC or UTC+1?

1 Like

OK, i changed the renewal time to 3:42 (CET) and it seems this helped, certificates could be renewed now.

2 Likes

It runs hourly, whenever it was first started. I will add some random wiggling in future releases, so that it is not exactly an hour each time and spread around.

However, as I saw on twitter, you managed to resolve the secondary dns lookup problem and, indeed, my domain has been successfully renewed. Thanks for that!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.