Page 2 of 2 FirstFirst 12
Results 16 to 25 of 25
  1. #16
    Join Date
    Jun 2014
    Posts
    222
    Points
    4,295
    Level
    27
    Hi John,

    you are on the right track with the IP. The second error is related to one of the alternate domains (mail.domain.com) pointing to another IP on some of our servers. That one is my mistake. IW Jenna found (and fixed) this for me.

    So when LE looks up the domains names, it encounters 2 IPs for the DNS entries and throws an error. But this error was happening today only. My original problem (Temporary failure in name resolution) still persists. But tracking that down will be hard, as it only happens once per account and then works on the scond try, so I can't point to an account where it happens and IW can troubleshoot.

    I will keep an eye out for this and see if it happens more often then before. If not, I will simply have to live with it. As I also wrote Jenna, it is more of a nuisance than a real problem anyway...
    Last edited by mdeinhardt; 05-23-2017 at 10:09 AM.

  2. The Following User Says Thank You to mdeinhardt For This Useful Post:


  3. #17
    Join Date
    Apr 2012
    Posts
    2,179
    Points
    24,148
    Level
    67
    Hi Michael

    Many thanks, Iw guys rock

    Glad it's resolved but if you could update once you think you may have found the LE issue you originally posted over

    Please shout or post if you want anything testing or ideas

    Many thanks, going to try to enjoy our 1 day of summer here in uk haha

    John

  4. #18
    Join Date
    Jun 2014
    Posts
    222
    Points
    4,295
    Level
    27
    Hi John,

    yes, IW Jenna did find the issue behind the original problem. It was an outdated LE installation. It seems I installed LE on a few of our servers before there was an auto-update function built in, so those early versions never got updated. Jenna found this and also showed me how to upgrade.

    If anyone else is experiencing similar problems, first verify the general date of your installation via
    ls -la ~iworx/lib/letsencrypt/
    Some of my files were from January 2016.

    You can update LE via
    cd ~iworx/lib/letsencrypt/
    git pull
    On two installations this resulted in
    error: Your local changes to the following files would be overwritten by merge: letsencrypt-auto
    Please, commit your changes or stash them before you can merge.
    Aborting
    so I ran
    git stash
    and then
    git pull
    Thanks to Jenna all is fine now

  5. The Following User Says Thank You to mdeinhardt For This Useful Post:


  6. #19
    Join Date
    Jun 2014
    Posts
    222
    Points
    4,295
    Level
    27
    I have a similar but new issue, maybe someone can shed a light on this:

    I get this error when trying to create a new certificate:
    ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7f88886b4890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))An unexpected error occurred:ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7f88886b4890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))
    I updated the LE installation according to my post above, but the error remains. I then tried to do

    nslookup acme-v01.api.letsencrypt.org
    but get
    [root@srv04 letsencrypt]# nslookup acme-v01.api.letsencrypt.org
    ;; connection timed out; trying next origin
    ;; connection timed out; no servers could be reached
    nslookup works though, e.g.
    [root@srv04 letsencrypt]# nslookup letsencrypt.org
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Non-authoritative answer:
    Name: letsencrypt.org
    Address: 184.31.91.55
    I see elsewhere
    acme-v01.api.letsencrypt.org. CNAME IN 7200 106ms api.letsencrypt.org.edgekey.net.
    So why is the name resolution for acme-v01.api.letsencrypt.org not working? Because it's a CNAME? And is the failling name resolution the reason for my above error? Or am I misinterpreting this?

    Thanks in advance for any pointers or help.
    Michael
    Last edited by mdeinhardt; 12-19-2017 at 07:37 AM. Reason: typos

  7. The Following User Says Thank You to mdeinhardt For This Useful Post:


  8. #20
    Join Date
    Apr 2012
    Posts
    2,179
    Points
    24,148
    Level
    67
    Hi Michael

    I hope your well and looking forward to Christmas

    Your correct I believe in that it is a dns failure to resolve

    I suspect it is most likely at LE DNS, either malfunctioning dns or perhaps even a ddos

    Is it working now

    If not, have you checked LE status page for known issues, although Iím on LE status notification email and there was an notification yesterday I think from memory, which was corrected

    Many thanks

    John

  9. #21
    Join Date
    Jun 2014
    Posts
    222
    Points
    4,295
    Level
    27
    Hi John,

    yeah, I'm fine and I am indeed looking forward to christmas - to get some internal administrative work done ;-) I work much more relaxed, knowing nobody will call

    And you, are the grandchildren visiting?

    I tried creating the LE cert again, but still get
    ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7fcd0a00e890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))An unexpected error occurred:ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7fcd0a00e890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))
    nslookup of acme-v01.api.letsencrypt.org works on my windows machine. And nslookup of acme-v01.api.letsencrypt.org works on the machine in question, if I use another DNS, e.g.
    [root@srv04 ~]# nslookup acme-v01.api.letsencrypt.org 8.8.8.8
    Server: 8.8.8.8
    Address: 8.8.8.8#53

    Non-authoritative answer:
    acme-v01.api.letsencrypt.org canonical name = api.letsencrypt.org.edgekey.net.
    api.letsencrypt.org.edgekey.net canonical name = e981.dscb.akamaiedge.net.
    Name: e981.dscb.akamaiedge.net
    Address: 23.77.231.123
    So only the local resover fails at it
    [root@srv04 ~]# nslookup acme-v01.api.letsencrypt.org
    ;; connection timed out; trying next origin
    ;; connection timed out; no servers could be reached
    but works at anything else
    [root@srv04 ~]# nslookup forums.interworx.com
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Non-authoritative answer:
    Name: forums.interworx.com
    Address: 173.249.157.163
    nslookup acme-v01.api.letsencrypt.org fails on some of our machines. Could there be some kind of host file or some redirect of this URL somewhere on those machines? I cannot think of any reason why only that URL fails and only on those machines.

  10. The Following User Says Thank You to mdeinhardt For This Useful Post:


  11. #22
    Join Date
    Apr 2012
    Posts
    2,179
    Points
    24,148
    Level
    67
    Hi Michael
    Sorry for the small delay. Under pressure to finish a lot of work before close of business Friday (most UK companies close then until the 3 Jan
    I think it is your resolver, as you have it set to localhost, and therefore just rounds in circles as it were
    If you try as follows
    SSH into server
    vi /etc/resolv.conf
    nameserver 8.8.8.8
    nameserver 8.8.4.4
    save
    As a test, here is mine
    I hope that helps a little
    Many thanks
    John
    nslookup acme-v01.api.letsencrypt.org
    Server: 8.8.8.8
    Address: 8.8.8.8#53
    Non-authoritative answer:
    acme-v01.api.letsencrypt.org canonical name = api.letsencrypt.org.edgekey.net.
    api.letsencrypt.org.edgekey.net canonical name = e981.dscb.akamaiedge.net.
    Name: e981.dscb.akamaiedge.net
    Address: 23.214.84.32

  12. The Following User Says Thank You to d2d4j For This Useful Post:


  13. #23
    Join Date
    Jun 2014
    Posts
    222
    Points
    4,295
    Level
    27
    Hi John,

    no worries, I am simply glad and thankful, that you always take the time to answer.

    Using Google's NS would help, but this defeats the purpose of the local resolver, i.e. the name resolution of internal domains, especially those just created.

    The 127.0.0.1 is iworx default, so it should work. And all this does not explain why the local resolver answers at letsencrypt.org but not at acme-v01.api.letsencrypt.org.

    Cheers
    Michael

  14. The Following User Says Thank You to mdeinhardt For This Useful Post:


  15. #24
    Join Date
    Jun 2014
    Posts
    222
    Points
    4,295
    Level
    27
    So I was on the right track and you too, John. Nathan helped me and wrote "We've seen this before when only the local cache nameserver is in /etc/resolv.conf". He simply added an external name server to /etc/resolv.conf, same as you suggested John.

    I had two knots in my head, the first being that I can simply leave the local resolver in there, i.e.

    nameserver 8.8.8.8
    nameserver 127.0.0.1

    An the second knot was, I had it somehow fixed in my head never to edit /etc/resolv.conf directly, but naturally this is only the fact on servers that use DHCP. And now I also know why some machines work and some don't. Those working use DHCP and I prepend my own name servers via /etc/dhcp/dhclient-eth0.conf , which of course can't work on machines with static IPs.

    So, note to myself and other's, who might need it:

    If the server uses DHCP (i.e. BOOTPROTO=dhcp in /etc/sysconfig/network-scripts/ifcfg-eth0) you can add additional name servers via /etc/dhcp/dhclient-eth0.conf like this
    prepend domain-name-servers 8.8.8.8;
    prepend domain-name-servers 8.8.4.4;

    prepend domain-name-servers 127.0.0.1;
    Attention: They will be added to resolv.conf in reverse order after a reboot or after
    service network restart
    If the server uses a static IP (e.g. BOOTPROTO=none in /etc/sysconfig/network-scripts/ifcfg-eth0) you can add additional name servers directly via /etc/resolv.conf like Johnn described above

    nameserver 8.8.8.8
    nameserver 8.8.4.4
    nameserver 127.0.0.1
    Thanks all for your help and I wish you, your loved ones, the whole IW team and everybody who reads this in time a very merry Christmas and a happy new year!

    Michael
    Last edited by mdeinhardt; 12-21-2017 at 10:48 AM.

  16. The Following 2 Users Say Thank You to mdeinhardt For This Useful Post:


  17. #25
    Join Date
    Apr 2012
    Posts
    2,179
    Points
    24,148
    Level
    67
    Hi Michael
    Wow, Kudos to you and IW
    Glad its now resolved and I hope you have and your loved ones a merry christmas and a very happy new year
    Many thanks
    John

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •