Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The server could not connect to the client to verify the domain :: Server failure at resolver #1308

Closed
bigeagle opened this issue Dec 28, 2015 · 5 comments
Closed

The server could not connect to the client to verify the domain :: Server failure at resolver #1308

bigeagle opened this issue Dec 28, 2015 · 5 comments

Comments

@bigeagle
Copy link

Hi there,

I'm a webadmin and I'm setting up LE for ldap.nics.cc, while the resolve error was reported.

However, this domian name is valid, dig @8.8.8.8 ldap.nics.cc reports

; <<>> DiG 9.10.3 <<>> @8.8.8.8 ldap.nics.cc
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20908
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ldap.nics.cc.          IN  A

;; ANSWER SECTION:
ldap.nics.cc.       59  IN  A   166.111.64.119

;; Query time: 434 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Dec 28 17:38:45 CST 2015
;; MSG SIZE  rcvd: 57

Can you offer some help?

Cheers,
Justin
@jsha
Copy link
Contributor

jsha commented Jan 5, 2016

Hi Justin,

To emulate the full authoritative resolution LE does, you can use dig +trace ldap.nics.cc. From my machine, this eventually results in:

dig: couldn't get address for 'ns1.nics.cc': no more

@jsha
Copy link
Contributor

jsha commented Jan 5, 2016

BTW, this would be a better question for https://community.letsencrypt.org, where you're likely to get visibility from more people who can help!

@bigeagle
Copy link
Author

bigeagle commented Jan 6, 2016

According to certbot/certbot#1369, it should be related to my domain's registrar (hichina).
But I wanna know which DNS server LE use? dig +trace @8.8.8.8 ldap.nics.cc and dig +trace @208.67.220.220 both return write answer.

 dig +trace @208.67.220.220 ldap.nics.cc

; <<>> DiG 9.10.3-P2 <<>> +trace @208.67.220.220 ldap.nics.cc
; (1 server found)
;; global options: +cmd
.           194862  IN  NS  a.root-servers.net.
.           194862  IN  NS  b.root-servers.net.
.           194862  IN  NS  c.root-servers.net.
.           194862  IN  NS  d.root-servers.net.
.           194862  IN  NS  e.root-servers.net.
.           194862  IN  NS  f.root-servers.net.
.           194862  IN  NS  g.root-servers.net.
.           194862  IN  NS  h.root-servers.net.
.           194862  IN  NS  i.root-servers.net.
.           194862  IN  NS  j.root-servers.net.
.           194862  IN  NS  k.root-servers.net.
.           194862  IN  NS  l.root-servers.net.
.           194862  IN  NS  m.root-servers.net.
;; Received 239 bytes from 208.67.220.220#53(208.67.220.220) in 199 ms

cc.         172800  IN  NS  h5.nstld.com.
cc.         172800  IN  NS  f5.nstld.com.
cc.         172800  IN  NS  c5.nstld.com.
cc.         172800  IN  NS  l5.nstld.com.
cc.         172800  IN  NS  d5.nstld.com.
cc.         172800  IN  NS  a5.nstld.com.
cc.         172800  IN  NS  g5.nstld.com.
cc.         86400   IN  DS  519 8 2 E1EC6495ABD34562E6F433DEE201E6C6A52CB10AF69C04D675DA692D 2D566897
cc.         86400   IN  DS  519 8 1 7285EF05E1B4E679D4F072EEA9B00953E01F3AE2
cc.         86400   IN  RRSIG   DS 8 1 86400 20160115170000 20160105160000 54549 . FBfhplDgbms1p7RS++qwXNgVzBlsCYVn0SFNI7mSX07JmzBlrAyLVYZ/ Hcp8kdti4gHPonRBnzfmZ3eeSPErsc9tPF6itx6SW46Pk2hjkVxkkrIq 1t+pV8Iledhypb4nlfhZv2utYUstA2gnn38zee3L6aoSgOq+i74tRtvd 4zc=
;; Received 580 bytes from 2001:500:84::b#53(b.root-servers.net) in 170 ms

nics.cc.        172800  IN  NS  ns2.nics.cc.
nics.cc.        172800  IN  NS  ns1.nics.cc.
RQGAP5UF6Q1NGVCKFNO8RANVDN5ILRIN.cc. 86400 IN NSEC3 1 1 0 - RV11BJCVDH79RSELE61AK8640MB8689H NS SOA RRSIG DNSKEY NSEC3PARAM
RQGAP5UF6Q1NGVCKFNO8RANVDN5ILRIN.cc. 86400 IN RRSIG NSEC3 8 2 86400 20160112215654 20160105215654 34634 cc. XeC7jkGJhSGaPrb13mrKzYZh1MplWsXcAm585Aewg+ia+jsOXlmqbeR0 IovHgoBVeXPfswb6ElsuClLIPIe8q3rKvXMXQ1HIxd6IwDqy4LXP/UhZ 1gJN1q2O900Dby47jjipWekR/PynNAqfZ0o7Xr9i9UOGiQGCWV2syr/L fE0=
CA2ICCFLGT8VPHQ6M1P72ANCK4VO9TE4.cc. 86400 IN NSEC3 1 1 0 - CD6H8FMEH0QON5H44CON58R2A1GH4F5R A RRSIG
CA2ICCFLGT8VPHQ6M1P72ANCK4VO9TE4.cc. 86400 IN RRSIG NSEC3 8 2 86400 20160112121314 20160105121314 34634 cc. DqpSXI/MbOGdn9WJO6xq/iLwXp/cOmdOz7pSLwJopIkB7U0avZoXtxFA VaoUlIy0i6ad7nHJgittgTFyMzC4XYcu23mZUf9+Nfy3GCy7MG1xO5bA GJjQJcD+yX9HTIXF4OHTVvjOMjrhht4/ZH8jbYvGSJ7Ksa6tz6byjaf2 ew0=
;; Received 592 bytes from 192.5.6.34#53(a5.nstld.com) in 295 ms

ldap.nics.cc.       60  IN  A   166.111.64.119
;; Received 57 bytes from 166.111.64.120#53(ns2.nics.cc) in 22 ms

@bigeagle
Copy link
Author

Hi there,

On LE community site no one give any response.

How can I get any info for debugging this?

Cheers,

@bigeagle bigeagle mentioned this issue Feb 24, 2016
Closed
@bigeagle
Copy link
Author

I found why.

LE tries to resolve domain names like ldap.Nics.InfO instead of ldap.nics.info, and my homebrew DNS server is case-sensitive, which is against RFC 4343. After ignoring query case, everything worked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jsha @bigeagle