[buug] letsencrypt DNS (validation)

Ian Zimmerman itz at primate.net
Tue May 9 21:17:52 PDT 2017


On 2017-05-09 08:14, Michael Paoli wrote:

> Curious if you're seeing actual DNS problems, or
> problems with DNS validation method, or if it's
> "just" issues with TTLs and negative caching and
> perhaps a modest bit of latency on propagation (e.g.
> to all delegated nameservers plus a few seconds or so ...
> more than that?).

I saw it fail three times, with the error message different for the
first time and then identical in the next two cases.

First time:

WARNING:certbot.renewal:Attempting to renew cert from
 /etc/letsencrypt/renewal/very.loosely.org.conf
 produced an unexpected error: Failed authorization procedure.
 very.loosely.org (tls-sni-01): urn:acme:error:unknownHost ::
 The server could not resolve a domain name ::
 No valid IP addresses found for very.loosely.org. Skipping.

FailedChallenges: Failed authorization procedure.
 very.loosely.org (tls-sni-01): urn:acme:error:unknownHost ::
 The server could not resolve a domain name ::
 No valid IP addresses found for very.loosely.org

Second and third time:

WARNING:certbot.renewal:Attempting to renew cert from
 /etc/letsencrypt/renewal/very.loosely.org.conf
 produced an unexpected error: Failed authorization procedure.
 very.loosely.org (tls-sni-01): urn:acme:error:connection ::
 The server could not connect to the client to verify the domain ::
 DNS problem: SERVFAIL looking up A for very.loosely.org. Skipping.

FailedChallenges: Failed authorization procedure.
 very.loosely.org (tls-sni-01): urn:acme:error:connection ::
 The server could not connect to the client to verify the domain ::
 DNS problem: SERVFAIL looking up A for very.loosely.org

I self host very.loosely.org; loosely.org which delegates it to me is
hosted by dyn.  At the times corresponding to the above error logs for
letsencrypt, I see _no_ queries (successful or not) in my named logs.

It resolved instantly on our lovely primate.net server.

-- 
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign:
http://primate.net/~itz/blog/the-problem-with-gpg-signatures.html


More information about the buug mailing list