Why letsencrypt can't renew my domain: The server could not connect to the client to verify the domain


#1

Please fill out the fields below so we can help you better.

My domain is:www.xtons.com(fail) xtons.com(ok)

I ran this command:sudo ./certbot-auto renew --standalone

It produced this output:
sudo ./certbot-auto renew --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/xtons.com-0001.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/xtons.com.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xtons.com
tls-sni-01 challenge for www.xtons.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/xtons.com.conf produced an unexpected error: Failed authorization procedure. www.xtons.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up A for www.xtons.com. Skipping.

The following certs are not due for renewal yet:
/etc/letsencrypt/live/xtons.com-0001/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xtons.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.xtons.com
    Type: connection
    Detail: DNS problem: query timed out looking up A for www.xtons.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My operating system is (include version):ubuntu 14.04 LTS on amazon EC2

My web server is (include version):nginx (not run)

My hosting provider, if applicable, is:amazon

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no


#2

looks like a DNS issue in your environment

from my computer I am able to see the www.xtons.com domain

trying running dig www.xtons.com on your ubuntu server and see if it resolves

If not fix that issue first

Andrei


#3

When I did a dig +trace www.xtons.com, it was “hanging” on the last bit… But ultimately, it did work… Perhaps dig chose an other server…?

If I look at http://dnsviz.net/d/www.xtons.com/dnssec/ you can see a lot of warnings and errors. Some of them can be ignored (not every DNS server responds to TCP), but the fact a lot of DNS servers are not responding to UDP does shed some light on the situation: your DNS is quite troublesome at the least.


#4

I can dig from my server on Amazon EC2.

$ dig www.xtons.com

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> www.xtons.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13105
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.xtons.com. IN A

;; ANSWER SECTION:
www.xtons.com. 60 IN A 52.78.45.91

;; Query time: 4002 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Fri Mar 24 02:36:49 UTC 2017
;; MSG SIZE rcvd: 58

I don’t understand why letsencrypt.org server can’t resolve the subdomain(www.xtons.com) by dnspod.com(my dns service provider).


#5

The dig query time reported is 4 seconds. That’s not “reliable, efficient DNS service”, that’s “lucky it worked at all”. Apparently Let’s Encrypt’s resolver is not always so lucky.

Issues with DNSPod have been reported on this forum more than once:

https://community.letsencrypt.org/search?q=dnspod

From my location in the US, it seems to me that most of their DNS servers are located in mainland China, a few in Hong Kong, and service is generally spotty.

I don’t think there are any issues specific to Let’s Encrypt.

Edit:

I don’t know if DNSPod is fast and reliable inside China, but service outside of China is clearly poor. I would suggest using a different DNS provider, or living with the fact that Let’s Encrypt will sometimes take a few tries to validate.

Edit:

While Let’s Encrypt provides no guarantees about the location of the validation servers, and they have plans to check from multiple locations, evidently they currently don’t check from China.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.