Let's Encrypt error

[k1l0b1t]

I'm having an error when I'm generating a wildcard record.

[*.domain.com] time limit exceeded: last error: read udp [<ip>]:37258->[<ip>]:53: read: connection refused
[domain.com] time limit exceeded: last error: read udp [<ip>]:43967->[<ip>]:53: read: connection refused
Certificate generation failed.

I'm running the latest let's encrypt and LEGO, port 53 is open in the firewall (both tcp and udp, ipv4 and ipv6) didn't have issues with this in the past.

 

[smtalk]

Is udp port 53 open for dns lookups?

 

[k1l0b1t]

yes, it is.

If I dig the domain, I get a result. (using my isp's nameservers, using 8.8.8.8 and using the nameservers on the server itself.)

 

[k1l0b1t]

regular, non-wildcard validations work. I do remember having an update of the LEGO client a week ago or so, could that be the cause?

I've re-build the LEGO client, but dns validation is still not working...

 

[smtalk]

May you check if disabling firewall temporarily changes anything?

 

[k1l0b1t]

with firewall disabled still errors... I'll try again in a week or so, not a huge deal to use regular certificates, just anoying it's not quite working.

 

[ikkeben]

You have you dns direct on the DA server or other construction or external dns service provider for example at domainname provider?
Did you checked support for the LEGO that DNS services then, mabye som "newer" settings / config or manual change you have made in the past.

 

[k1l0b1t]

I'm using the dns on the DA server in this case. It used to work (a month ago or so it still worked). Nothing has changed since, and as it's still giving an error with the firewall disabled, I'm stuck on what the issue can be.

 

[smtalk]

What’s in /etc/resolv.conf ? Anything in /var/log/messages when it fails?

 

[k1l0b1t]

What’s in /etc/resolv.conf ? Anything in /var/log/messages when it fails?

in /etc/resolv.conf are the nameservers of my vps provider, so that's all good there.

in /var/log/messages I saw the dns server getting reloaded twice, other than that nothing related to the dns. A minute after the directadmin notification apache did restart though.

in /var/log/messages, I also see a lot of "started session <number> of user root" (even though I wasn't logged in at the times it said), is this normal or should I be worried? (based on the timing, I suspect that's the cronjob that runs every minute to call the dataskq, right?)

 

[k1l0b1t]

Also, when I digged the record that gets created for the dns verification, it's correct.
(complete error output, starting after the "retrying" parts)

2021/01/16 19:15:21 [INFO] [domain.com] acme: Cleaning DNS-01 challenge
2021/01/16 19:15:23 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10126487090 :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "0103XYCYQgnQP9lWHCm8I3A4A8GFkqI7zYoBSWTu65ZkJMM", url:
2021/01/16 19:15:23 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10126487090
2021/01/16 19:15:24 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10126487099
2021/01/16 19:15:24 Could not obtain certificates:
    error: one or more domains had a problem:
[*.domain.com] time limit exceeded: last error: read udp [my.ip6.addr]:55745->[my.ip6.addr]:53: read: connection refused
[domain.com] time limit exceeded: last error: read udp [my.ip6.addr]:36072->[my.ip6.addr]:53: read: connection refused
Certificate generation failed.

 

[smtalk]

Is bind listening on ipv6 on your system?

 

[k1l0b1t]

Is bind listening on ipv6 on your system?

Okay, that was actualy the issue... Thanks for reminding me

For the future forum wanderer with the same issue: https://help.directadmin.com/item.php?id=353, on the very bottom