Unable to renew certificate

Hello,

I’m getting a “query timed out looking up A” when trying to renew a certificate with http validation that has been working just fine for about a year:

https://crt.sh/?q=fluxer.umbc.edu

Indeed, there seems to be a DNSLookupFailed from let’s encrypt side:

And here I see DNSSEC LAME responses and a final SERVFAIL:

https://unboundtest.com/m/A/fluxer.umbc.edu/BZDSIUDQ

Finally, trying to debug this I see some problem with TCP connections to the nameserver:

However, TCP connections with the nameserver work fine from my side. So I’m not sure if there is some TCP blocking somewhere or any other problem. I’d appreciate any help with this.

Thanks!

There are some unresponsive DNS servers:
https://dnsviz.net/d/fluxer.umbc.edu/dnssec/

Hi @dnl

read your check complete. Ipv4 works, ipv6 is completely buggy:

And

X Nameserver Timeout checking Echo Capitalization: dnsexternal.umbc.edu / 2620:0:5301:2::2:1
X Nameserver Timeout checking Echo Capitalization: dnsexternal1.umbc.edu / 2620:0:5301:2::2:2
X Nameserver Timeout checking Echo Capitalization: dnsexternal2.umbc.edu / 2620:0:5301:2::2:3
X Nameserver Timeout checking EDNS512: dnsexternal.umbc.edu / 2620:0:5301:2::2:1
X Nameserver Timeout checking EDNS512: dnsexternal1.umbc.edu / 2620:0:5301:2::2:2
X Nameserver Timeout checking EDNS512: dnsexternal2.umbc.edu / 2620:0:5301:2::2:3

These are the reasons why Unboundtest / letsdebug (uses Unbound) and Letsencrypt report a Servfail.

If your name servers have ipv6 and if ipv6 doesn’t work, that breaks your domain.

1 Like

Hi @JuergenAuer,

Indeed the ipv6 network is not working. I didn’t know it was needed as well for the http validation. I’ll see if I can have it fixed.

Thank you for your help.

2 Likes

It’s not needed. You can use ipv4 only name servers without ipv6 (and websites without ipv6, most don’t have ipv6).

But if ipv6 is defined, it is used and must work.

Letsencrypt prefers ipv6, that’s the future.

But it’s a name server problem, so it may be impossible that you can fix it (if you aren’t the name server operator).

1 Like

Right. I don’t have access to the nameservers, but I will ask for the ipv6 to be fixed or at least for the AAAA records to be removed until they can fix it.

2 Likes

Well, it turns out that the problem was with DNSSEC in one of the child zones. In particular the child and parent zones were hosted in the same server, which prevented validation. The solution was to eliminate the child zone and move the records into the parent zone.

For the record, letsencrypt doesn’t need the ipv6 addresses working even if they are defined.

It’s really unfortunate that the error messages of letsencrypt are so uninformative and difficult to debug. Thank you @JuergenAuer and @rg305 for helping with this.

1 Like