Renew certificates - failing on DNS for domain name

bwag

Hi, I didn't see anyone else with this error when I searched. I own a domain that we'll call domain.tld for this post. I have Cloudron installed at my home (residential) server at "my.domain.tld". My services run on subdomains such as "subdomain.domain.tld", etc. Cloudron is configured to dynamically update DNS through my provider, Linode.

**The problem:**Letsencrypt certificate renewal is hanging:

Nov 10 01:55:12 box:dns/waitfordns Attempt 190 failed. Will retry: queryNs ENODATA domain.tld
Nov 10 01:55:32 box:dns/waitfordns Attempt 191 failed. Will retry: queryNs ENODATA domain.tld
Nov 10 01:55:52 box:dns/waitfordns Attempt 192 failed. Will retry: queryNs ENODATA domain.tld
Nov 10 01:56:12 box:dns/waitfordns Attempt 193 failed. Will retry: queryNs ENODATA domain.tld
Nov 10 01:56:32 box:dns/waitfordns Attempt 194 failed. Will retry: queryNs ENODATA domain.tld
Nov 10 01:56:52 box:dns/waitfordns Attempt 195 failed. Will retry: queryNs ENODATA domain.tld
Nov 10 01:57:12 box:dns/waitfordns Attempt 196 failed. Will retry: queryNs ENODATA domain.tld
Nov 10 01:57:32 box:dns/waitfordns Attempt 197 failed. Will retry: queryNs ENODATA domain.tld
Nov 10 01:57:52 box:dns/waitfordns Attempt 198 failed. Will retry: queryNs ENODATA domain.tld
Nov 10 01:58:12 box:dns/waitfordns Attempt 199 failed. Will retry: queryNs ENODATA domain.tld
Nov 10 01:58:32 box:reverseproxy ensureCertificate: error: queryNs ENODATA domain.tld

This error makes sense because I don't have "domain.tld" configured with the nameserver to point anywhere. I only have configured DNS for "my.domain.tld", "subdomain.domain.tld", etc.

But this has never been a problem before. Can anyone help me with how should I fix it?

nebulon

Not sure how that Cloudron was ever able to get valid SSL certificates, but you have to use the "Self-Signed" provider in such a setup. See also https://docs.cloudron.io/installation/intranet/

bwag

Sorry, from your reply, it may have sounded like I am literally using example.com. To clarify, I had replaced my domain with example.com above. I am using a domain that I own and have nameservers configured for. I'll edit to try to make this more clear.

nebulon

Ah yes I assumed so, but I am still not sure how, with only a local private DNS and routing you would have ever gotten certificates from Letsencrypt in the past. Something must have changed.

But either way, can you manually get the nameservers correctly on the system via host -t NS youdomain.com ? If this does not work and maybe is even expected to not work, then you have to use the noop DNS backend so Cloudron skips all checks.

joseph

host -t NS youdomain.com 127.0.0.150 should return the correct nameservers on your server. You can also try removing the 127.0.0.150 in the command and check if that works. That should help isolate the problem.

bwag

Oh, I see the question. Yes, I guess what happened is that I added Adguard and started using it for DNS.

bwag

$ host -t NS domain.tld
domain.tld name server ns5.linode.com.
domain.tld name server ns1.linode.com.
domain.tld name server ns3.linode.com.
domain.tld name server ns4.linode.com.
domain.tld name server ns2.linode.com.

$ host -t NS domain.tld 127.0.0.150
Using domain server:
Name: 127.0.0.150
Address: 127.0.0.150#53
Aliases: 

domain.tld has no NS record

bwag

Yeah, this was resolved by turning off Adguard and resetting unbound to its default settings. Sorry for the hassle.

By the way, the main reason for the DNS changes was for accessing domain.tld from inside my own home network.

nebulon

Thanks for sharing that and glad it worked out in the end.