"Timed out looking up A"


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.kenshosec.com/www.psavlabs.com

I ran this command: sudo certbot --apache -d www.kenshosec.com

It produced this output:

Failed authorization procedure. www.kenshosec.com (http-01): urn:acme:error:dns :: DNS problem: query timed out looking up A for www.kenshosec.com

IMPORTANT NOTES:

My web server is (include version): Apache 2.4.18-2ubuntu3.9

The operating system my web server runs on is (include version): 16.04.5

My hosting provider, if applicable, is: Self-hosted, Dynamic DNS through noip.com

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


When attempting to create a new certificate for my site at my new domain (www.kenshosec.com) I receive the error provided above. While I believe this to be because the actual A record is at my dynamic DNS url (zadammac.ddns.net), I can’t speak to the “why” of this, as I was able to get a cert using certbot for my other domain www.psavlabs.com, some time ago, on the same machine with the same dynamic DNS setup.

I’m retiring the old domain and moving (eventually) to the first domain in a few months and I’d really like to have a working cert in order to do this.


#2

Your DDNS service is malfunctioning. ns1.perlnet.com., ns2.perlnet.com. and ns3.perlnet.com. (respectively 64.56.237.112, 216.254.178.200 and 216.254.178.201) are down.


#3

Thanks! Time to switch providers I guess.

Can you tell me how you diagnosed that so that I can check that first myself next time?


#4

A dig +trace zadammac.ddns.com. gave a few couldn't get address for 'ns1.perlnet.com': failure errors as answers. First, I thought perhaps the DNS servers were lacking “NS glue”, but then I found out the +trace method resolves every step with the local DNS client. With a little bit of help of wireshark, I saw there was glue present, but just not used. (This could also be tested by querying the nameservers for .com for your hostname:

# dig @g.gtld-servers.net. zadammac.ddns.com.
;; AUTHORITY SECTION:
ddns.com.		172800	IN	NS	ns1.perlnet.com.
ddns.com.		172800	IN	NS	ns2.perlnet.com.

;; ADDITIONAL SECTION:
ns1.perlnet.com.	172800	IN	A	64.56.237.112
ns2.perlnet.com.	172800	IN	A	216.254.178.200

You see, the additional section provides the DNS resolver with the IP addresses, free of charge (without an extra query :wink:), “glued” with the answer. Unfortunately, those IP addresses don’t answer to DNS queries. :frowning:


#5

Thanks, I appreciate the detail.

I’ll move to a more reliable DynDNS provider and see if that does the business.

EDIT: Or I could use the RIGHT address in my CNAME record. headdesk I’m sure ddns.com exists, but that’s not the right hostname. Wow.

We can safely close this and file it under Error: ID-10T