unknownHost error despite valid DNS records (IMHO)

lukash · September 29, 2016, 11:38am

Hi guys,

it almost seems like the ACME is caching DNS records, it never happened to me before anywhere else, even after DNS change I was able to promptly acquire a cert.

First a had a CNAME of teamwork.roamability.com pointing to teamwork-proxy.roamability.com … that produced the urn:acme:error:unknownHost error as well … then I figured maybe CNAME is not followed to I changed it to direct A record, no luck still the same unknownHost record, I’m pretty certain the DNS is setup correctly but I still get the error.

Any ideas please?

Thanks!
Lukas

$ host -t ns roamability.com
roamability.com name server ns18.domaincontrol.com.
roamability.com name server ns17.domaincontrol.com.
$ host -t A teamwork.roamability.com ns17.domaincontrol.com
Using domain server:
Name: ns17.domaincontrol.com
Address: 2607:f208:206::9#53
Aliases: 

teamwork.roamability.com has address 172.31.22.34
$ host -t A teamwork.roamability.com ns18.domaincontrol.com
Using domain server:
Name: ns18.domaincontrol.com
Address: 2607:f208:302::9#53
Aliases: 

teamwork.roamability.com has address 172.31.22.34
$

Please fill out the fields below so we can help you better.

My domain is: teamwork.roamability.com

I ran this command: I’m using caddy webserver but to replicate this issue I’ve just cooked up this:
letsencrypt certonly --logs-dir=/tmp --config-dir=/tmp --work-dir=/tmp --agree-tos --renew-by-default -d teamwork.roamability.com -a webroot --webroot-path=/tmp

It produced this output:

Failed authorization procedure. teamwork.roamability.com (http-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for teamwork.roamability.com
    IMPORTANT NOTES:
     - The following errors were reported by the server:

   Domain: teamwork.roamability.com
   Type:   unknownHost
   Detail: No valid IP addresses found for teamwork.roamability.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My operating system is (include version): CentOS 7

My web server is (include version): Caddy

My hosting provider, if applicable, is: Amazon AWS (I tried running certbot elsewhere, same result)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

ahaw021 · September 29, 2016, 11:53am

Hi Lukas

I have checked your domain name and it has a valid A record.

http://mxtoolbox.com/SuperTool.aspx?action=a%3Ateamwork.roamability.com&run=toolpage

Do you have the log file. Should tell us what the message from letsencrypt server is

ahaw021 · September 29, 2016, 11:58am

Hi Lukas

I have tried using https://zerossl.com to get a challenge (which will fail as i will not be able to authenticate)

Lets Encrypt can resolve your domain name so it’s the local client that’s having issues with DNS.

Screenshot below. Once again I havent tried to complete the challenge so you will still be able to register once you have sorted the DNS issues.

pfg · September 29, 2016, 12:02pm

172.31.22.34 is a private IP address (in the 172.16.0.0/12 block). You won’t be able to use the http-01 or tls-sni-01 challenge types with a private IP address, though dns-01 is still an option. You can find the DNS challenge documentation for Caddy here.

lukash · September 29, 2016, 12:09pm

Thank you!

The mother of all facepalms I was so focused on the error message saying it cannot find a valid A record it never occurred to me I copy-pasted a private IP of the Amazon AWS machine instead of the public one from the webinterface, DUH! I’m indeed in idiot

system · October 29, 2016, 12:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.