Same config for two domains. One works, the other not

Help
1

My domain is:
friedel.my-wan.de
alexa.friedel.my-wan.de

I ran this command:
letsencrypt renew --standalone --force-renew

It produced this output:

Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/fritzbox.friedel.my-wan.de.conf produced an unexpected error: Failed authorization procedure. fritzbox.friedel.my-wan.de (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for fritzbox.friedel.my-wan.de. Skipping.

The following certs were successfully renewed:
/etc/letsencrypt/live/bn2xtdkliwixbexu.myfritz.net/fullchain.pem (success)
/etc/letsencrypt/live/friedel.my-wan.de/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/alexa.friedel.my-wan.de/fullchain.pem (failure)
/etc/letsencrypt/live/fritzbox.friedel.my-wan.de/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: alexa.friedel.my-wan.de
    Type: unknownHost
    Detail: No valid IP addresses found for alexa.friedel.my-wan.de

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: fritzbox.friedel.my-wan.de
    Type: connection
    Detail: DNS problem: SERVFAIL looking up A for

My web server is (include version):

standalone

The operating system my web server runs on is (include version):
debian stretch

My hosting provider, if applicable, is:
twodns.de

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Both domains are hosted by twodns.de. The one is the main account (friedel.my-wan.de) and the other one is a wildcard.

What's odd:
This worked in the past if I am not mistaken. Now it works for the main domain, not for the wildcard.
It complains about a connection issue and suggests to check the A record. But this looks good:

root@homeserver:/etc/letsencrypt# host -t a friedel.my-wan.de
friedel.my-wan.de has address 79.206.40.167
root@homeserver:/etc/letsencrypt# host -t a alexa.friedel.my-wan.de
alexa.friedel.my-wan.de has address 79.206.40.167

What could be the reason? What can I do to further nail down the reason?

Regards,
Hendrik

2

The problem seems DNS related:

nslookup -q=ns my-wan.de a.nic.de
my-wan.de nameserver = ns2.crns.de
my-wan.de nameserver = h2-045.net.crns.de

nslookup -q=ns alexa.friedel.my-wan.de ns2.crns.de
my-wan.de
primary name server = localhost

nslookup -q=ns alexa.friedel.my-wan.de h2-045.net.crns.de
my-wan.de
primary name server = localhost

3

Thanks.

Sorry, but I do not see the error?
And: I suppose, only twodns can fix it?

4

I wasn’t able to reproduce the problem with your domains.

Is it still happening to you if you try now?

5

Hello,

thanks for your help!
out of couriosity:
how would you be able to reproduce the problem? I mean: the IP points to my machine.

Yes, it is still happening, unfortunately:

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/alexa.friedel.my-wan.de/fullchain.pem (failure)
/etc/letsencrypt/live/fritzbox.friedel.my-wan.de/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: alexa.friedel.my-wan.de
    Type: connection
    Detail: DNS problem: SERVFAIL looking up CAA for
    alexa.friedel.my-wan.de

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • The following errors were reported by the server:

    Domain: fritzbox.friedel.my-wan.de
    Type: connection
    Detail: DNS problem: SERVFAIL looking up A for
    fritzbox.friedel.my-wan.de

Greetings,
Hendrik

6

Very strange. When I try, Let's Encrypt does not report any DNS errors, rather just a connection error to the server (which would indicate that DNS works OK). unboundtest.com also has no problems with your domains.

Even the authzs demonstrate that the domain was resolved successfully:

$ sudo certbot-auto certonly --standalone -d alexa.friedel.my-wan.de -d fritzbox.friedel.my-wan.de --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for alexa.friedel.my-wan.de
http-01 challenge for fritzbox.friedel.my-wan.de
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. alexa.friedel.my-wan.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://alexa.friedel.my-wan.de/.well-known/acme-challenge/_67FtlBv1iMz63Aw98znfThfXRTDD9fm17fdlHB9qs0: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: alexa.friedel.my-wan.de
    Type: connection
    Detail: Fetching
    http://alexa.friedel.my-wan.de/.well-known/acme-challenge/_67FtlBv1iMz63Aw98znfThfXRTDD9fm17fdlHB9qs0:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

7

From one resolver, I get intermittent issues resolving names in that domain.

Roughly maybe 90% of the time, the DNS servers fail to respond.

A different resolver works well though.

Maybe they’re running some incredibly aggressive rate limiting thing that briefly bans any IP that sends them more than 1 query per second or something? Or there are just ISP issues?

8

Thanks for your replies.
(How) can I select the resolver?

Greetings,
Hendrik

9

Select how? The domain’s authoritative DNS servers need to respond to reasonable requests from all resolvers, everywhere on the Internet. I was just lucky – or unlucky – that I run a couple resolves and one of them had issues.

10

Hello,

ok, do you have any suggestion how to proceed?

Greetings,
Hendrik

11

I don’t know. Check the configuration for very aggressive rate limiting, other issues causing the DNS server to drop packets, or issues with the network reaching jane.mattnordhoff.net over IPv4, I guess.

https://mtr-atlanta.mnrd.us/?c=50418616
https://mtr-atlanta.mnrd.us/?c=e75dc508

Maybe it’s a red herring anyway. I didn’t have any issues on a resolver with a more similar configuration to what Let’s Encrypt uses.

And any issues with my resolver could be different than those Let’s Encrypt is experiencing.

DNSViz also reports similar issues.

http://dnsviz.net/d/alexa.friedel.my-wan.de/dnssec/
http://dnsviz.net/d/fritzbox.friedel.my-wan.de/dnssec/

12

Hello,

Where does jane.mattnordhoff.net come from, now?
The two URLs (mnrd.us) don't say me anything, sorry. I fear this is beyond my expertise.

Maybe it’s a red herring anyway. I didn’t have any issues on a resolver with a more similar configuration to what Let’s Encrypt uses.

Sorry again. What do you mean by that?

Regarding DNSViz:
I see the difference between
http://dnsviz.net/d/alexa.friedel.my-wan.de/dnssec/
and friedel.my-wan.de | DNSViz

From friedel.my-wan.de/A there is an reply, whereas from alexa.friedel.my-wan.de/A there is none.

That could be a hint towards a problem. But it is nothig I can fix, is it?
To be honest, I would not even be able to express the problem when communicating to twodns.

What's odd: it did work in the past.

Greetings,
Hendrik

13

It's (currently) the hostname of my personal DNS resolver that was experiencing an issue. If you wanted to run mtr, or check the DNS server logs for my IP, or something like that, there you go.

(The IP isn't running a public recursive DNS server, though.)

And both of them show a number of errors for irrelevant query types, which shouldn't happen either.

I don't know. Do you run the DNS servers?

I dunno. Maybe an ISP is experiencing issues today, or the DNS server people recently made a configuration change.

14

Hello,

sorry, I did not realize that that’s your Domain :slight_smile:
No, I do not run the DNS servers. I am just using the dynamic dns service of twodns without further magic.

So, what could I do next?

Greetings,
Hendrik

15

Contact their tech support, or switch to a different DNS provider.

16

Thanks for your reply,

I will contact them. But I do not really know, what to ask.
I mean -as you said- the errors that dnsviz show are not for relevant query types.

Greetings,
Hendrik

17

Yes, but any query type failing demonstrates that it’s not functioning correctly.

A queries weren’t working reliably, they were just either less unreliable, or lucky.

Anyway, I reran the DNSViz tests, and this time the A queries happened to fail sometimes.

http://dnsviz.net/d/alexa.friedel.my-wan.de/Wm4qlg/dnssec/
http://dnsviz.net/d/fritzbox.friedel.my-wan.de/Wm4qlg/dnssec/