Since they have no support and other CAs can issue certs, I'm not confident in LE at all. This issue is isolated to LE, and we've confirmed we're sending the noerror response to them.
dnsviz reports numerous errors for the qa-mnp.media.realpage.com domain from your log. All are within the section.io servers that this realpage subdomain CNAMEs to.
The qa-mnp domain was getting Let's Encrypt certs reliably every 60 days for a long time the latest on Jul5 so is now "late".
Frankly, I cannot connect all the dots in this complex setup back to the timeout error you see requesting a cert. I am not sure why unboundtest.com can resolve the queries normally.
The errors shown for this domain are very different than was shown for success.realpage.com earlier. The success domain does not even CNAME to section.io so thought worth pointing out
https://dnsviz.net/d/qa-mnp.media.realpage.com/dnssec/
Partial error snips
6 Likes
section.io is a different vendor that also uses LE. I just found unboundtest.com and everything still looks fine there, so I don't know why LE is getting timeouts. We've even turned on all the debug logging and sat on the firewall and DNS servers to make sure the query and response from the LE bot was making it in and out.
I am confident this is a Capsforid: timeouts, starting fallback problem similar to DNS problem: query timed out looking up TXT - #25 by jcjones. I don't have time to dig any deeper tonight, though.
5 Likes
Between these two threads, there could be a common DDoS protection vendor that recently changed their behavior in a way that breaks caps-for-ID (which we depend on).
It's possible that DDoS protection varies between the DNS provider's multiple sites, which could allow unboundtest to succeed but our own endpoints to fail. And/or, the protection might use IP reputation as one part of its decisionmaking, and our endpoints could have a worse reputation than unboundtest.
6 Likes
Hello team,
We checked in DNSSEC Analyzer and DNS Viz and both suggests that DNSSEC is no longer an issue for this domain, but Let's Encrypt still fails to provide a certificate.
When we try to issue a new cert or clear the SSL error from our application we get "DNS problem: query timed out looking up A for success.realpage.com; DNS problem: query timed out looking up AAAA for success.realpage.com."
So need your help/insights on what needs to be done next???...
Maybe this has something to do with it:
success.realpage.com canonical name = go.pardot.com
go.pardot.com canonical name = pi.pardot.com
pi.pardot.com canonical name = pi-ue1.pardot.com
pi-ue1.pardot.com canonical name = pi-ue1-public-lb-f0209c6950285322.elb.us-east-1.amazonaws.com
2 Likes
Or maybe this:
com to amazonaws.com: Authoritative AAAA records exist for ns-27.awsdns-03.com, but there are no corresponding AAAA glue records.
[yeah, I know, that is a very longshot]
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.