[buug] letsencrypt DNS (validation)
Ian Zimmerman
itz at primate.net
Tue May 9 21:17:52 PDT 2017
On 2017-05-09 08:14, Michael Paoli wrote:
> Curious if you're seeing actual DNS problems, or
> problems with DNS validation method, or if it's
> "just" issues with TTLs and negative caching and
> perhaps a modest bit of latency on propagation (e.g.
> to all delegated nameservers plus a few seconds or so ...
> more than that?).
I saw it fail three times, with the error message different for the
first time and then identical in the next two cases.
First time:
WARNING:certbot.renewal:Attempting to renew cert from
/etc/letsencrypt/renewal/very.loosely.org.conf
produced an unexpected error: Failed authorization procedure.
very.loosely.org (tls-sni-01): urn:acme:error:unknownHost ::
The server could not resolve a domain name ::
No valid IP addresses found for very.loosely.org. Skipping.
FailedChallenges: Failed authorization procedure.
very.loosely.org (tls-sni-01): urn:acme:error:unknownHost ::
The server could not resolve a domain name ::
No valid IP addresses found for very.loosely.org
Second and third time:
WARNING:certbot.renewal:Attempting to renew cert from
/etc/letsencrypt/renewal/very.loosely.org.conf
produced an unexpected error: Failed authorization procedure.
very.loosely.org (tls-sni-01): urn:acme:error:connection ::
The server could not connect to the client to verify the domain ::
DNS problem: SERVFAIL looking up A for very.loosely.org. Skipping.
FailedChallenges: Failed authorization procedure.
very.loosely.org (tls-sni-01): urn:acme:error:connection ::
The server could not connect to the client to verify the domain ::
DNS problem: SERVFAIL looking up A for very.loosely.org
I self host very.loosely.org; loosely.org which delegates it to me is
hosted by dyn. At the times corresponding to the above error logs for
letsencrypt, I see _no_ queries (successful or not) in my named logs.
It resolved instantly on our lovely primate.net server.
--
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign:
http://primate.net/~itz/blog/the-problem-with-gpg-signatures.html
More information about the buug
mailing list