.sp.gov.br Problems issues in

For a few days it has not been possible to generate Let's certificates for sites .sp.gov.br - Brazillian Government

Ever Dns error but, it's fine see in images.

My domain is: portaldatransparencia.pereirabarreto.sp.gov.br

The operating system my web server runs on is (include version):

Windows Server IIs

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is Win acme

Hello @rafaelbassora, welcome to the Let's Encrypt community. :slightly_smiling_face:

A list of Topics that all seem to have the same root cause:

And possibly this one as well Certificate expiration date not changed after renewal

3 Likes

@schoen, is this related to any of the other work you are doing for them?

5 Likes

This a new recent issue, i am collaborate in other cases in past

2 Likes

OK; but Let's Debug has results here https://letsdebug.net/portaldatransparencia.pereirabarreto.sp.gov.br/1386564 that state:
"IssueFromLetsEncrypt Error
A test authorization for portaldatransparencia.pereirabarreto.sp.gov.br to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
DNS problem: query timed out looking up TXT for _acme-challenge.portaldatransparencia.pereirabarreto.sp.gov.br "

3 Likes

Several times I used Win acme to generate via http-01, but without success, so I used the tool that connects directly to cloudfler to generate the DNS entry, but also without success, I don't know what else to do to generate the certificate, everything worked normally on the old server however for a few days now I can't issue certificates at all

[image]

I think we need to look at the DNS Records for the domain and subdomain names all the way down to

Seem a DNS issue to me.

1 Like

I also tried to create a TXT entry manually generated by Win acme without success.

To reproduce the scenario, on another Linux server with ISPconfig I tried to create a domain and install the let's certificate but also without success and with the same error in the Log
A few days ago the .gov.br had a problem in the DNS, I don't know if there is a correlation with this fact and if this is within the scope of let's Encrypted but I would need to solve it if possible

$ nslookup -q=any portaldatransparencia.pereirabarreto.sp.gov.br karina.ns.cloudflare.com.
Server:         karina.ns.cloudflare.com.
Address:        172.64.32.178#53

portaldatransparencia.pereirabarreto.sp.gov.br  hinfo = "RFC8482" ""

1 Like

Here https://dnsspy.io/scan/sp.gov.br I see this:

1 Like

Bruce I just sent an email to Prodesp (sp.gov.br) informing them of the status of their nameservers Let's wait! Thank you for the tip.

[image]

2 Likes

Both methods rely on DNS.
And both will fail when DNS is having trouble.

There is no other way to obtain a free cert from LE.

As a subdomain of their domain, you are at their mercy.
There is no way for your domain to workaround a DNS problem there.
They will have to find the problem and correct it [for you and every other subdomain].

3 Likes

I had a recent conversation with @adash (who works with Proderj). I documented that conversation privately but not publicly (writing to some Let's Encrypt staff and community members about it but not posting in the earlier discussion threads).

According to that conversation, Proderj was intentionally blocking some addresses from connecting to web server applications (that had been reported to a third-party service as abusive). This was one source of validation errors for Let's Encrypt certificates for Rio de Janeiro state government sites (including municipalities under subdomains of rj.gov.br). But @adash said that the same did not apply to DNS (that there were no addresses blocked from querying the DNS servers for rj.gov.br).

I don't know whether the same applies to Prodesp and sp.gov.br. If it does, then these errors don't make very much sense, because they look like the authoritative servers aren't allowing queries from some networks (perhaps in countries outside of Brazil). Otherwise, it looks like some of those servers just aren't very reliable, or perhaps are overloaded or on overloaded networks, because they frequently fail to answer queries!

I did write in another thread that the Let's Encrypt validation process is much stricter in its use of DNS than many other applications would be, so you can get Let's Encrypt validation failures even in cases where a site works fine using a web browser on a residential or mobile Internet connection. Let's Encrypt validation connects directly to authoritative name servers and can fail if those servers time out or return a protocol error. Most people's use of the Internet doesn't directly use authoritative name servers every time, but instead relies on ISP caches, which will give a valid reply to end users if they ever received what they interpreted as any valid reply within the underlying DNS record's TTL period (often 1 day or even longer).

Because of ISP caching, and because of Let's Encrypt multiperspective validation, you could imagine that an authoritative server for a popular domain that failed to answer 90% of queries could result in a situation where end users on large ISPs can almost always still access sites in that domain, but Let's Encrypt certificate requests almost always fail. The ISPs are trying to "succeed at all costs" (to paraphrase something @rg305 often says about the Apache server) if they have any record of how to reach the site, while Let's Encrypt is trying to be skeptical and not issue certificates if it's not absolutely confident that it has valid, up-to-date, authoritative information about the domains in question.

I am still eager to have a conversation, or give a presentation, in Portuguese with people in the Brazilian state government IT agencies, to try to make all of this clearer!

6 Likes

To try to clarify this point, even if you do host a subdomain DNS zone at Cloudflare, Let's Encrypt's validators will still need to connect to the parent zone's name servers in order to confirm that the delegation to Cloudflare itself is valid. That means that you could still get a failure if the parent zone servers fail to confirm this!

So if you had algumacidadealeatoria.sp.gov.br DNS hosted on Cloudflare, the validation process would still go to the sp.gov.br DNS servers to learn about the NS delegation for algumacidadealeatoria.sp.gov.br. If some of those parent servers don't answer properly, the whole process will fail.

P.S. sorry to hear about the horrible floods in São Paulo state recently. :cry: Hope everyone over there is OK or doing as well as possible!

5 Likes

Thank you very much for the words of support, the coast of our state needs a lot of help right now after the rainy season.
About Cloudflare this is my case here, our site pereirabarreto.sp.gov.br has all its dns hosted on Cloudflare and we are having problems renewing the certificates.
I'm head of the Information Technology Sector at Pereira Barreto City Hall and, since 2017 thanks to the help of @schoen, we've been using let's certificates, but I believe that starting this week we'll have to buy a wildcard certificate from a commercial certifier to continue with online services, as well as other 645 municipalities, universities and other entities of the government of São Paulo.

5 Likes

I will consider with the Mayor the exchange of the domain pereirabarreto.sp.gov.br to pereirabarreto.com.br, which is owned in order to have more autonomy in this sense.

4 Likes

Just for information, the dns of our websites are set on this platform https://www.dominio.sp.gov.br/dominiospgovbr/ The contact email for the sp.gov.br domain segurancarede@sp.gov.br

There is also a contact form on the website.

I sent them an email too.

Maybe you could ask them whether there is (1) any intentional blocking of some IP addresses from being able to query sp.gov.br DNS, and (2) any name server listed as authoritative for sp.gov.br that has inadequate CPU, RAM, network capacity, or other resources, or that was taken out of service without being removed from the listing as official.

If neither of those things is happening, then I'm pretty confused about why Let's Encrypt would have so much trouble with DNS queries to this domain!

4 Likes

@adash Você conhece alguém da Prodesp que talvez possa ajudar nisso?

3 Likes

Or just try ZeroSSL instead of Let's Encrypt, assuming you're not blocking them as well.[Or Google Trust Services, or BuyPass GO, or SSL.com ACME etc].

6 Likes