While processing CAA for stage.altel.kz: DNS problem: query timed out looking up CAA for stage.altel.kz

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:stage.altel.kz

I ran this command: acme protocol

My web server is (include version):nginx

{
    "type": "http-01",
    "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2251136105/674976602431/5hsr5g",
    "status": "invalid",
    "validated": "2026-03-18T12:23:07Z",
    "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "While processing CAA for stage.altel.kz: DNS problem: query timed out looking up CAA for stage.altel.kz",
        "status": 400
    },
    "token": "0xxxxxxxxxM",
    "validationRecord": [
        {
            "url": "http://stage.altel.kz/.well-known/acme-challenge/xxxxx",
            "hostname": "stage.altel.kz",
            "port": "80",
            "addressesResolved": [
                "82.27.191.218",
                "82.27.191.131"
            ],
            "addressUsed": "82.27.191.218"
        }
    ]
}

How can I solve this problem!!!

2

Just like the error says, requests to your DNS server for CAA records don't return a response. (The error "query timed out" means that a query was made and the validation system is waiting for a response, but never got one.)

Your DNS in general seems very broken, with incorrect delegations and servers that don't respond. See the DNSViz report: stage.altel.kz | DNSViz

  • 306df88a.altel.kz.cname.edgenextcname.com/A: A query for 306df88a.altel.kz.cname.edgenextcname.com results in a NOERROR response, while a query for its ancestor, cname.edgenextcname.com, returns a name error (NXDOMAIN), which indicates that subdomains of cname.edgenextcname.com, including 306df88a.altel.kz.cname.edgenextcname.com, don't exist. See RFC 8020, Sec. 2. (123.108.74.132, 123.108.74.133, 123.108.74.134, 123.108.74.150, 123.108.74.153, 123.108.74.160, 123.108.74.163, UDP_-_EDNS0_4096_D_KN)
  • 306df88a.altel.kz.cname.edgenextcname.com/AAAA (NODATA): A query for 306df88a.altel.kz.cname.edgenextcname.com results in a NOERROR response, while a query for its ancestor, cname.edgenextcname.com, returns a name error (NXDOMAIN), which indicates that subdomains of cname.edgenextcname.com, including 306df88a.altel.kz.cname.edgenextcname.com, don't exist. See RFC 8020, Sec. 2. (123.108.74.132, 123.108.74.133, 123.108.74.134, 123.108.74.150, 123.108.74.153, 123.108.74.160, 123.108.74.163, UDP_-_EDNS0_4096_D_KN)
  • 306df88a.altel.kz.cname.edgenextcname.com/CAA (NODATA): A query for 306df88a.altel.kz.cname.edgenextcname.com results in a NOERROR response, while a query for its ancestor, cname.edgenextcname.com, returns a name error (NXDOMAIN), which indicates that subdomains of cname.edgenextcname.com, including 306df88a.altel.kz.cname.edgenextcname.com, don't exist. See RFC 8020, Sec. 2. (123.108.74.132, 123.108.74.133, 123.108.74.134, 123.108.74.150, 123.108.74.153, 123.108.74.160, 123.108.74.163, UDP_-_EDNS0_4096_D_KN)
  • altel.kz zone: The server(s) were not responsive to queries over UDP. See RFC 1035, Sec. 4.2. (2a03:32c0:22::ad, 2a03:32c0:23::ad)
  • altel.kz/DNSKEY: No response was received from the server over UDP (tried 12 times). See RFC 1035, Sec. 4.2. (81.211.250.54, 217.76.66.86, UDP_-_NOEDNS_)
  • altel.kz/DNSKEY: No response was received from the server over UDP (tried 4 times). See RFC 1035, Sec. 4.2. (81.211.250.54, 217.76.66.86, UDP_-_EDNS0_512_D_KN)
  • cname.edgenextcname.com/A (NXDOMAIN): The Authoritative Answer (AA) flag was not set in the response. See RFC 1035, Sec. 4.1.1. (123.108.74.132, 123.108.74.133, 123.108.74.134, 123.108.74.150, 123.108.74.153, 123.108.74.160, 123.108.74.163, UDP_-_EDNS0_4096_D_KN)
  • cname.edgenextcname.com/A (NXDOMAIN): The NXDOMAIN response did not include an SOA record. See RFC 1034, Sec. 4.3.4, RFC 2308, Sec. 2.1. (123.108.74.132, 123.108.74.133, 123.108.74.134, 123.108.74.150, 123.108.74.153, 123.108.74.160, 123.108.74.163, UDP_-_EDNS0_4096_D_KN)
  • kz/DNSKEY: No response was received from the server over UDP (tried 4 times). See RFC 1035, Sec. 4.2. (194.0.21.5, UDP_-_EDNS0_512_D_KN)
  • stage.altel.kz/AAAA: No response was received from the server over UDP (tried 12 times). See RFC 1035, Sec. 4.2. (81.211.250.54, 217.76.66.86, UDP_-_NOEDNS_)
  • stage.altel.kz/CAA: No response was received from the server over UDP (tried 12 times). See RFC 1035, Sec. 4.2. (81.211.250.54, 217.76.66.86, UDP_-_NOEDNS_)
  • cname.edgenextcname.com/A (NXDOMAIN): The server responded with no OPT record, rather than with RCODE FORMERR. See RFC 6891, Sec. 7. (123.108.74.132, 123.108.74.133, 123.108.74.134, 123.108.74.150, 123.108.74.153, 123.108.74.160, 123.108.74.163, UDP_-_EDNS0_4096_D_KN)
  • com to edgenextcname.com: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the com zone): ns1.edgenextns.com, ns2.edgenextns.com See RFC 1034, Sec. 4.2.2.
  • com to edgenextcname.com: The following NS name(s) were found in the delegation NS RRset (i.e., in the com zone), but not in the authoritative NS RRset: gnsgl01.edgenextsdns.biz, gnsgl02.edgenextsdns.info See RFC 1034, Sec. 4.2.2.

You need a working domain name before you can worry about trying to get certificates for it.

5 Likes
4

Thank you for your reply, We will investigate according to your direction.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.