Symptoms
When the system tries to reissue an AutoSSL certificate and you receive a timeout error, you'll need to do some DNS troubleshooting to isolate where this problem is before it can be fixed.
Description
If a DNS timeout error happens during the AutoSSL run on the machine, the error it gives you can look something like this:
DNS query error (www.domain.com/CAA): (XID 48mf5h) DNS request timeout: www.domain.com/CAA
CA authorized: “www.domain.com”
DNS query error (mail.domain.com/CAA): (XID ux6mxs) DNS request timeout: mail.domain.com/CAA
CA authorized: “mail.domain.com”
DNS query error (cpanel.chinelos.com/CAA): (XID zkfe6d) DNS request timeout: cpanel.chinelos.com/CAA
CA authorized: “cpanel.chinelos.com”
AutoSSL cannot increase “domain”’s SSL coverage.
Workaround
To resolve this issue, we'll need to do some testing to determine where the timeout is happening. The first thing to check is the connection from your server to the root nameservers. If this connection can't be made, the AutoSSL tools will fail. You can test this by running this command on the system:
for i in {a..m}; do echo -n "$i: "; dig +short $i.root-servers.net @$i.root-servers.net; done
If that is working properly you can move on to testing the nameservers for the top-level domain. The TLD nameservers will tell you what lower-level nameservers has authority for the domain in question. For example, if we check cpanel.net with the following command:
dig +trace cpanel.net
we will get the following result:
# dig +trace cpanel.net
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.7 <<>> +trace cpanel.net
;; global options: +cmd
. 460907 IN NS j.root-servers.net.
. 460907 IN NS d.root-servers.net.
. 460907 IN NS a.root-servers.net.
. 460907 IN NS g.root-servers.net.
. 460907 IN NS i.root-servers.net.
. 460907 IN NS f.root-servers.net.
. 460907 IN NS h.root-servers.net.
. 460907 IN NS k.root-servers.net.
. 460907 IN NS e.root-servers.net.
. 460907 IN NS l.root-servers.net.
. 460907 IN NS b.root-servers.net.
. 460907 IN NS m.root-servers.net.
. 460907 IN NS c.root-servers.net.
;; Received 228 bytes from 96.126.106.5#53(96.126.106.5) in 11 ms
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
;; Received 485 bytes from 199.7.91.13#53(199.7.91.13) in 9 ms
cpanel.net. 172800 IN NS c.cpanel.net.
cpanel.net. 172800 IN NS hg.cpanel.net.
cpanel.net. 172800 IN NS mn.cpanel.net.
cpanel.net. 172800 IN NS ns.cpanel.net.
This tells us the gtld-servers.net nameservers are responsible for ".net" domains. If our server isn't able to reach those, that will also cause AutoSSL to fail. Once you've found the TLD nameservers you run this command to confirm your connection is working properly:
telnet a.gtld-servers.net 53
If that fails, you'll need to speak with the manager of your network or server to see why there is a problem with that connection, but getting that resolved will help get the AutoSSL tools working properly on the machine.
Comments
0 comments
Article is closed for comments.