Media Temple: Unable to renew certs - both wildcard/dns & subdomain/http due to DNS problem

alexb · July 23, 2021, 6:57pm

My domain is: *.psiholog360.com, testare.psiholog360.com

I tried to renew certs, and for both I get DNS error, although DNS looks like it's working fine:

wildcard: .psiholog360.com
Command: certbot -d '.psiholog360.com' --manual --preferred-challenges dns-01 certonly --server https://acme-v02.api.letsencrypt.org/directory

Response error:
Detail: DNS problem: query timed out looking up TXT for _acme-challenge.psiholog360.com

Unboundtest:
Query results for TXT _acme-challenge.psiholog360.com

Response:
;; opcode: QUERY, status: NOERROR, id: 26717
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.psiholog360.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.psiholog360.com. 0 IN TXT "SwunY0ZHo2ZdOPG4ZV3N5Vk4UCp8qzCSLeWUo5XaEqc"

Letsdebug output:
DNS problem: SERVFAIL looking up TXT for _acme-challenge.psiholog360.com - the domain's nameservers may be malfunctioning
Challenge update failures for *.psiholog360.com in order https://acme-staging-v02.api.letsencrypt.org/acme/order/5751349/131044458
acme: error code 400 "urn:ietf:params:acme:error:dns": DNS problem: SERVFAIL looking up TXT for _acme-challenge.psiholog360.com - the domain's nameservers may be malfunctioning

subdomain: testare.psiholog360.com
command: certbot renew --dry-run
Result: Detail: DNS problem: SERVFAIL looking up A for testare.psiholog360.com - the domain's nameservers may be malfunctioning

Unbound:
Query results for A testare.psiholog360.com

Response:
;; opcode: QUERY, status: NOERROR, id: 51845
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;testare.psiholog360.com. IN A

;; ANSWER SECTION:
testare.psiholog360.com. 0 IN A 3.123.98.175

Letsdebug output:
HTTPCheck
DEBUG
Requests made to the domain
Request to: testare.psiholog360.com/3.123.98.175, Result: [Address=3.123.98.175,Address Type=IPv4,Server=Apache,HTTP Status=302,Number of Redirects=1,Final HTTP Status=302], Issue: BadRedirect
Trace:
@0ms: Making a request to http://testare.psiholog360.com/.well-known/acme-challenge/letsdebug-test (using initial IP 3.123.98.175)
@0ms: Dialing 3.123.98.175
@174ms: Server response: HTTP 302 Found
@174ms: Received redirect to https://testare.psiholog360.com.well-known/acme-challenge/letsdebug-test
DEBUG

A and AAAA records found for this domain
testare.psiholog360.com. 0 IN A 3.123.98.175
InternalProblem

DEBUG
An internal error occurred while checking the domain
Failed to query certwatch database to check rate limits: pq: canceling statement due to user request
LetsEncryptStaging

DEBUG
Challenge update failures for testare.psiholog360.com in order https://acme-staging-v02.api.letsencrypt.org/acme/order/5751349/131174908
acme: error code 400 "urn:ietf:params:acme:error:dns": DNS problem: query timed out looking up A for testare.psiholog360.com

Renewal used to work fine before with the same settings, not sure what generates these errors now...
I'm aware of the redirect problem with testare subdomain, but the DNS error seems unrelated. I also tried to generate a new cert for a test subdomain (with http, not dns), but got the same error.

Any idea how to solve this? Thanks.

rg305 · July 23, 2021, 7:49pm

Hi @alexb, and welcome to the LE community forum

It seems that there is a real issue with MediaTemple DNS lately.
This is the third topic I've seen in the last couple of days relating to problem with their DNS.
You should let them know about this problem and, if possible, add more DNS servers to your zone to overcome these types of single provider problems]
[add servers from other DNS providers]

tagging: @griffin

alexb · July 23, 2021, 8:14pm

Ok, thanks, Rudy. MT is sh***y overall... I'll move the domain DNS to other provider, this kind of problems are unacceptable.

griffin · July 23, 2021, 8:41pm

Welcome to the Let's Encrypt Community, Alex

And the trend continues...

alexb · July 24, 2021, 9:41am

Thanks, Griffin.

Indeed, the problem is with the MT nameservers. I switched the NSs to AWS Route53 and everything worked fine (after 3hrs of debugging yesterday - Friday evening )

felipelook · July 24, 2021, 3:19pm

@alexb Could be another option instead of using amazon Route53?

alexb · July 24, 2021, 4:41pm

Can be any DNS provider, but you need first to create the zone and copy ALL records from MT zone, then change the nameservers in the MT interface to the new provider's servers. The point here is to be sure to copy ALL records, otherwise you'll end up with some services (like email, web etc) not working.

rmbolger · July 24, 2021, 5:04pm

Just wanted to add here that while it's possible to use multiple different authoritative DNS providers for a single domain, it is highly uncommon outside of super high profile sites who need to account for one of the providers being entirely down (which is super rare for large DNS providers). It's also hard to manage which is why it's not really a common thing people do.

Much better advice for the vast majority of folks would be to change DNS providers entirely rather than add another one, particularly if the one you have is misbehaving.

rg305 · July 24, 2021, 5:27pm

If you consider that there is only one place to make changes (and all others synchronize from it), the only hard part is setting it up. It then becomes automated and simple.
[much like using any ACME client - the only hard part is setting it up (and we are here to help with that)]

I agree that changing DNS providers is also a viable solution; but saying it is a much better path is more than it deserves; as it trades one DSP for another [all of which can have their troubles at times].
It is merely a much simpler path to solution the problem. But it still leaves one vulnerable to any symptoms affecting that single provider.

Again (IMHO), using multiple DNS providers is the most effective method to overcome any such problems, and is really NOT that hard to setup.
[maybe I should write a paper/example on how to do it simply for those that are willing but clueless]

orangepizza · July 24, 2021, 5:36pm

not sure how many dns hostings willing to routinely zone transfer out to outside dns server: aren't they mostly try to lock you in?

rg305 · July 24, 2021, 5:38pm

They get paid to do what you ask them to do.
So... just ask:
Can I setup secondary DNS servers?

rmbolger · July 24, 2021, 5:48pm

Adding secondary DNS servers (that do automated zone transfers from your primary) is different than additional primary DNS servers. I thought you were advocating for the latter in which case you're effectively having to manually make updates in multiple places. And there are sites that do this because they want the redundancy of disparate DNS providers that don't talk to each other at all and are willing to deal with the additional record management burden it requires.

Secondary DNS is totally different and relatively common. Though it's a less common supported feature than I would have hoped from major providers.

But in OP's case with the primary provider misbehaving, I'd still argue it's probably better to move away from them entirely than add a secondary provider. If I can't trust my provider to directly serve my zone properly, why should I trust they can serve it to a secondary provider either?

rg305 · July 24, 2021, 5:50pm

I suppose I should have used more words; my apologies for the confusion.

And I would still argue that using both is better than using only one of them (either one).
If A can't secondary B, then can B secondary to A?
If neither then look to providers C and/or D.
[there a plenty out there that play well with others]

I've used cloudns.net & 1984.is as secondaries, without issue, for many years now.

system · August 23, 2021, 5:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.