Validation: DNS problem

corelux · March 15, 2020, 7:59pm

Hi,

Error LOG ;

Status: 400
Detail: During secondary validation: DNS problem: query timed out looking up CAA for aidat.pro
[2020-03-15 22:53:53.861] ERR [extension/letsencrypt] Domain validation failed: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/3378144459.
Details:
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: During secondary validation: DNS problem: query timed out looking up CAA for aidat.pro

Only the server’s main ip address has been changed. How can we fix it?

Thank you.

9peppe · March 15, 2020, 8:17pm

There is no A record for deneme.aidat.pro, add one (or a cname).

JuergenAuer · March 15, 2020, 10:21pm

Hi @corelux

if you have that problem (“secondary validation”): Letsencrypt has added a “multiple network validation”.

Read

The Letsencrypt servers are able to check your CAA entry. The additional servers aren’t, that’s the error message.

May be a blocking DNS firewall.

deneme.aidat.pro

is your domain. CAA is a “tree climbing check”. So if you have a CAA entry with deneme.aidat.pro, your aidat.pro entry isn’t checked.

May be it helps if you create a CAA entry with deneme.aidat.pro.

corelux · March 16, 2020, 6:32am

Can you check it now?
I added the A record. But the error is as follows

type: urn:ietf:params:acme:error:dns

Status: 400

Detail: During secondary validation: DNS problem: SERVFAIL looking up A for deneme.aidat.pro - the domain’s nameservers may be malfunctioning

corelux · March 16, 2020, 6:36am

I manually added the CAA value. Unfortunately, nothing has changed.

Error

Type: urn:ietf:params:acme:error:dns

Status: 400

Detail: During secondary validation: DNS problem: SERVFAIL looking up A for deneme.aidat.pro - the domain’s nameservers may be malfunctioning

only server’s main ip address had changed.

mnordhoff · March 16, 2020, 7:00am

I tried querying your domain’s nameserver from one of the AWS regions used by the secondary validation servers, and it timed out.

Is your nameserver blocking traffic from any IPs? In particular, AWS IPs?

abramos · April 7, 2020, 7:35pm

Thanks @mnordhoff for hinting AWS issue. Have arrived here with the same (comparatively recent) problem on all our servers, resolved by bulk deleting AWS IPs from firewall.

AWS is a well known hub of spammers, scrapers, bots & all sorts of nasties. We increasingly faced a non-stop storm of all sorts of “attacks” from AWS IPs, getting involved in a futile wack-a-mole campaign of banning individual offending IP ranges - till we decided to block en masse all AWS known IPs and thus get some peace of mind.

Since overall we are not aware of what Letsencrypt IPs to whitelist, we are forced to weaken our firewall to a great extend to be able to use Letsencrypt.

Unwittingly Letsencrypt, dedicated to web security, is in effect exposing our servers to security issues by weakening by some of its decisions some of our firewall defenses.

I am not advocating here publication of IPs to whitelist. They have indeed to remain secret. However, Letsencrypt IPs should be far, far away from clusters candidate for IP range blacklisting such as AWS, Google, Microsoft, Oracle, Hetzner and other such nasty clouds.

I hope this makes sense.

.

danb35 · April 7, 2020, 10:49pm

If your network’s security depends on an absolute blacklist of AWS IPs, there are other, more serious, problems with your network security. But if this concerns you, there’s a simple answer: use DNS validation.