Unable to renew certificate after long period without errors - DNS problem: server failure at resolver looking up AAAA

bojan · June 27, 2024, 11:31pm

Hi, i am using certbot for long time but starting from April i have issue to renew certificate for my domain. I am not using AAAA record and have set up CAA record for my domain. I have my own DNS server that propagate zones to other secondary servers of which one is currently down. i am getting (my opinion) error that doesnt have anything to do with DNS but it points it to DNS. Please HELP

HTTP 200
Server: nginx
Date: Thu, 27 Jun 2024 23:13:10 GMT
Content-Type: application/json
Content-Length: 676
Connection: keep-alive
Boulder-Requester: 777909396
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: eF-2qMJ9uxpZ3KlW34thMZ_HKZJuDSsCFqb-ckyQhLp4DmmjKbE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "postar.tim.rs"
},
"status": "invalid",
"expires": "2024-07-04T23:12:36Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/369702215937/9oeYpA",
"status": "invalid",
"validated": "2024-06-27T23:12:37Z",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: server failure at resolver looking up A for postar.tim.rs; DNS problem: server failure at resolver looking up AAAA for postar.tim.rs",
"status": 400
},
"token": "IVEgFYJ89NKNziqb_8qovGuEkBqp45QtEUn8SE_Ng5A"
}
]

My domain is: postar.tim.rs

I ran this command:/usr/bin/certbot certonly --nginx -d postar.tim.rs --force-renewal

It produced this output:
**Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: postar.tim.rs
Type: dns
Detail: DNS problem: server failure at resolver looking up A for postar.tim.rs; DNS problem: server failure at resolver looking up AAAA for postar.tim.rs

My web server is (include version): nginx

The operating system my web server runs on is (include version):rocky linux 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.11.0

bojan · June 27, 2024, 11:32pm

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: postar.tim.rs
Type: dns
Detail: DNS problem: server failure at resolver looking up A for postar.tim.rs; DNS problem: server failure at resolver looking up AAAA for postar.tim.rs

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2024-06-28 01:13:10,988:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/var/lib/snapd/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/var/lib/snapd/snap/certbot/3834/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Bruce5051 · June 28, 2024, 1:34am

Hello @bojan, welcome to the Let's Encrypt community.

The Authoritative DNS Name Servers are not preforming as well as they could be.

And using the online tool Let's Debug yields these results
https://letsdebug.net/postar.tim.rs/2067055

IssueFromLetsEncrypt
ERROR
A test authorization for postar.tim.rs to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
DNS problem: server failure at resolver looking up A for postar.tim.rs; no valid AAAA records found for postar.tim.rs

mcpherrinm · June 28, 2024, 4:14am

You have three nameservers:

ns2.absolutok.com doesn't return any 'A' or 'AAAA' records
ares1.tim.rs doesn't reply
mars.tim.rs returns an IP for 'A' records

So you should fix the nameservers for your domain: Probably just remove the ones that aren't mars.tim.rs, which seems to be the working one?

bojan · June 28, 2024, 11:02am

Hi,
i have removed non-working DNS ares1.tim.rs and solved SOA authority for domain. The renew passed and i got new certificate, but, why my second DNS is still reported as not having A record??

This nameserver refused to answer queries or to answer authoritatively, which means that it's not configured for this DNS zone. This error should be addressed as soon as possible. It's not only a performance and availability issue, but could lead to nameserver takeover.

Address: 80.93.224.2

Reverse name: ns2.absolutok.com.

Name: ns2.absolutok.com.

Osiris · June 28, 2024, 12:18pm

Is ns2.absolutok.com really your second DNS server? Because that server is not aware of that.

bojan · June 28, 2024, 3:30pm

You are correct, the my ISP did not set DNS server correctly. Thanks for pointing this.